From: dsugar@tresys.com (David Sugar) Date: Tue, 12 Dec 2017 02:15:18 +0000 Subject: [refpolicy] [PATCH 1/3-v4] Make an attribute for objects in /run/user/%{USERID}/* Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute. Signed-off-by: Dave Sugar --- policy/modules/system/userdomain.if | 156 +++++++++++++++++++++++++++++++++++- policy/modules/system/userdomain.te | 4 + 2 files changed, 159 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index b2105d12..11b15dbb 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',` ######################################## ## +## Make the specified type usable in +## the directory /run/user/%{USERID}/. +## +## +## +## Type to be used as a file in the +## user_runtime_content_dir_t. +## +## +# +interface(`userdom_user_runtime_content',` + gen_require(` + attribute user_runtime_content_type; + ') + + typeattribute $1 user_runtime_content_type; + files_type($1) + ubac_constrained($1) +') + +######################################## +## ## Search users runtime directories. ## ## @@ -3098,7 +3120,139 @@ interface(`userdom_delete_user_runtime_files',` ') allow $1 user_runtime_t:dir list_dir_perms; - allow $1 user_runtime_t:file unlink; + allow $1 user_runtime_t:file delete_file_perms; +') + +######################################## +## +## Search users runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_search_all_user_runtime',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir search_dir_perms; + userdom_search_user_runtime_root($1) +') + +######################################## +## +## List user runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_list_all_user_runtime',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + userdom_search_user_runtime($1) +') + +######################################## +## +## delete user runtime directories +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_runtime_dirs',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms }; +') + +######################################## +## +## delete user runtime files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_runtime_files',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:file delete_file_perms; +') + +######################################## +## +## delete user runtime symlink files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_runtime_symlinks',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms; +') + +######################################## +## +## delete user runtime fifo files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_runtime_named_pipes',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms; +') + +######################################## +## +## delete user runtime socket files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_runtime_named_sockets',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:file delete_sock_file_perms; ') ######################################## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 8abd6dbe..5dab993c 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -75,6 +75,9 @@ attribute unpriv_userdomain; attribute user_home_content_type; +# dirs/files/etc created in /run/user/%{USERID}/ +attribute user_runtime_content_type; + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) @@ -128,3 +131,4 @@ files_poly(user_runtime_t) files_poly_member(user_runtime_t) files_poly_parent(user_runtime_t) ubac_constrained(user_runtime_t) +userdom_user_runtime_content(user_runtime_t) -- 2.13.6