From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 12 Dec 2017 20:19:34 -0500 Subject: [refpolicy] [PATCH 1/3-v4] Make an attribute for objects in /run/user/%{USERID}/* In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/11/2017 09:15 PM, David Sugar via refpolicy wrote: > Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute. > > Signed-off-by: Dave Sugar > --- > policy/modules/system/userdomain.if | 156 +++++++++++++++++++++++++++++++++++- > policy/modules/system/userdomain.te | 4 + > 2 files changed, 159 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index b2105d12..11b15dbb 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',` > > ######################################## > ## > +## Make the specified type usable in > +## the directory /run/user/%{USERID}/. > +## > +## > +## > +## Type to be used as a file in the > +## user_runtime_content_dir_t. > +## > +## > +# > +interface(`userdom_user_runtime_content',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + typeattribute $1 user_runtime_content_type; > + files_type($1) > + ubac_constrained($1) > +') > + > +######################################## > +## > ## Search users runtime directories. > ## > ## > @@ -3098,7 +3120,139 @@ interface(`userdom_delete_user_runtime_files',` > ') > > allow $1 user_runtime_t:dir list_dir_perms; > - allow $1 user_runtime_t:file unlink; > + allow $1 user_runtime_t:file delete_file_perms; > +') > + > +######################################## > +## > +## Search users runtime directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_search_all_user_runtime',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir search_dir_perms; > + userdom_search_user_runtime_root($1) > +') > + > +######################################## > +## > +## List user runtime directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_list_all_user_runtime',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + userdom_search_user_runtime($1) > +') > + > +######################################## > +## > +## delete user runtime directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_delete_all_user_runtime_dirs',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms }; > +') > + > +######################################## > +## > +## delete user runtime files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_delete_all_user_runtime_files',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + allow $1 user_runtime_content_type:file delete_file_perms; > +') > + > +######################################## > +## > +## delete user runtime symlink files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_delete_all_user_runtime_symlinks',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms; > +') > + > +######################################## > +## > +## delete user runtime fifo files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_delete_all_user_runtime_named_pipes',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms; > +') > + > +######################################## > +## > +## delete user runtime socket files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_delete_all_user_runtime_named_sockets',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + allow $1 user_runtime_content_type:file delete_sock_file_perms; > ') > > ######################################## > diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te > index 8abd6dbe..5dab993c 100644 > --- a/policy/modules/system/userdomain.te > +++ b/policy/modules/system/userdomain.te > @@ -75,6 +75,9 @@ attribute unpriv_userdomain; > > attribute user_home_content_type; > > +# dirs/files/etc created in /run/user/%{USERID}/ > +attribute user_runtime_content_type; > + > type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; > fs_associate_tmpfs(user_home_dir_t) > files_type(user_home_dir_t) > @@ -128,3 +131,4 @@ files_poly(user_runtime_t) > files_poly_member(user_runtime_t) > files_poly_parent(user_runtime_t) > ubac_constrained(user_runtime_t) > +userdom_user_runtime_content(user_runtime_t) Merged. -- Chris PeBenito