From: dsugar@tresys.com (David Sugar)
Date: Tue, 12 Dec 2017 02:15:18 +0000
Subject: [refpolicy] [PATCH 1/3-v4] Make an attribute for objects in
	/run/user/%{USERID}/*
Message-ID: <CO1PR15MB10326C012C34F6CDB18DEB11B9340@CO1PR15MB1032.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/userdomain.if | 156 +++++++++++++++++++++++++++++++++++-
 policy/modules/system/userdomain.te |   4 +
 2 files changed, 159 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b2105d12..11b15dbb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
 
 ########################################
 ## <summary>
+##	Make the specified type usable in 
+##	the directory /run/user/%{USERID}/.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a file in the
+##	user_runtime_content_dir_t.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_content',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	typeattribute $1 user_runtime_content_type;
+	files_type($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
 ##	Search users runtime directories.
 ## </summary>
 ## <param name="domain">
@@ -3098,7 +3120,139 @@ interface(`userdom_delete_user_runtime_files',`
 	')
 
 	allow $1 user_runtime_t:dir list_dir_perms;
-	allow $1 user_runtime_t:file unlink;
+	allow $1 user_runtime_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Search users runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_all_user_runtime',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir search_dir_perms;
+	userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+##	List user runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_all_user_runtime',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+##	delete user runtime directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_dirs',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
+')
+
+########################################
+## <summary>
+##	delete user runtime files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_files',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime symlink files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_symlinks',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime fifo files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_pipes',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:file delete_sock_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 8abd6dbe..5dab993c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -75,6 +75,9 @@ attribute unpriv_userdomain;
 
 attribute user_home_content_type;
 
+# dirs/files/etc created in /run/user/%{USERID}/
+attribute user_runtime_content_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
@@ -128,3 +131,4 @@ files_poly(user_runtime_t)
 files_poly_member(user_runtime_t)
 files_poly_parent(user_runtime_t)
 ubac_constrained(user_runtime_t)
+userdom_user_runtime_content(user_runtime_t)
-- 
2.13.6