Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/userdomain.if | 156 +++++++++++++++++++++++++++++++++++-
policy/modules/system/userdomain.te | 4 +
2 files changed, 159 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b2105d12..11b15dbb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
########################################
## <summary>
+## Make the specified type usable in
+## the directory /run/user/%{USERID}/.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a file in the
+## user_runtime_content_dir_t.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_content',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ typeattribute $1 user_runtime_content_type;
+ files_type($1)
+ ubac_constrained($1)
+')
+
+########################################
+## <summary>
## Search users runtime directories.
## </summary>
## <param name="domain">
@@ -3098,7 +3120,139 @@ interface(`userdom_delete_user_runtime_files',`
')
allow $1 user_runtime_t:dir list_dir_perms;
- allow $1 user_runtime_t:file unlink;
+ allow $1 user_runtime_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Search users runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_all_user_runtime',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir search_dir_perms;
+ userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+## List user runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_all_user_runtime',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+## delete user runtime directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_dirs',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
+')
+
+########################################
+## <summary>
+## delete user runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_files',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime symlink files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_symlinks',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_pipes',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_sockets',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:file delete_sock_file_perms;
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 8abd6dbe..5dab993c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -75,6 +75,9 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
+# dirs/files/etc created in /run/user/%{USERID}/
+attribute user_runtime_content_type;
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -128,3 +131,4 @@ files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
+userdom_user_runtime_content(user_runtime_t)
--
2.13.6
On 12/11/2017 09:15 PM, David Sugar via refpolicy wrote:
> Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/userdomain.if | 156 +++++++++++++++++++++++++++++++++++-
> policy/modules/system/userdomain.te | 4 +
> 2 files changed, 159 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index b2105d12..11b15dbb 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
>
> ########################################
> ## <summary>
> +## Make the specified type usable in
> +## the directory /run/user/%{USERID}/.
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to be used as a file in the
> +## user_runtime_content_dir_t.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_user_runtime_content',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + typeattribute $1 user_runtime_content_type;
> + files_type($1)
> + ubac_constrained($1)
> +')
> +
> +########################################
> +## <summary>
> ## Search users runtime directories.
> ## </summary>
> ## <param name="domain">
> @@ -3098,7 +3120,139 @@ interface(`userdom_delete_user_runtime_files',`
> ')
>
> allow $1 user_runtime_t:dir list_dir_perms;
> - allow $1 user_runtime_t:file unlink;
> + allow $1 user_runtime_t:file delete_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Search users runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_search_all_user_runtime',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir search_dir_perms;
> + userdom_search_user_runtime_root($1)
> +')
> +
> +########################################
> +## <summary>
> +## List user runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_list_all_user_runtime',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + userdom_search_user_runtime($1)
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_all_user_runtime_dirs',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_all_user_runtime_files',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:file delete_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime symlink files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_all_user_runtime_symlinks',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime fifo files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_all_user_runtime_named_pipes',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime socket files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_all_user_runtime_named_sockets',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:file delete_sock_file_perms;
> ')
>
> ########################################
> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> index 8abd6dbe..5dab993c 100644
> --- a/policy/modules/system/userdomain.te
> +++ b/policy/modules/system/userdomain.te
> @@ -75,6 +75,9 @@ attribute unpriv_userdomain;
>
> attribute user_home_content_type;
>
> +# dirs/files/etc created in /run/user/%{USERID}/
> +attribute user_runtime_content_type;
> +
> type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
> fs_associate_tmpfs(user_home_dir_t)
> files_type(user_home_dir_t)
> @@ -128,3 +131,4 @@ files_poly(user_runtime_t)
> files_poly_member(user_runtime_t)
> files_poly_parent(user_runtime_t)
> ubac_constrained(user_runtime_t)
> +userdom_user_runtime_content(user_runtime_t)
Merged.
--
Chris PeBenito