privhome implementation

refpolicy/policy/modules.conf

@@ -11,14 +11,6 @@
 # as individual loadable modules.
 #
 
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
 # Layer: kernel
 # Module: filesystem
 # Required in base
@@ -59,6 +51,14 @@ terminal = base
 # 
 kernel = base
 
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
 # Layer: kernel
 # Module: corenetwork
 # Required in base
@@ -261,13 +261,6 @@ storage = base
 # 
 portmap = module
 
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-# 
-apm = base
-
 # Layer: services
 # Module: remotelogin
 #
@@ -275,6 +268,13 @@ apm = base
 # 
 remotelogin = base
 
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = base
+
 # Layer: services
 # Module: rlogin
 #
@@ -283,25 +283,11 @@ remotelogin = base
 rlogin = base
 
 # Layer: services
-# Module: postfix
+# Module: inetd
 #
-# Postfix email server
+# Internet services daemon.
 # 
-postfix = base
+inetd = base
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-# 
-cyrus = base
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-# 
-rsync = base
 
 # Layer: services
 # Module: ktalk
@@ -318,11 +304,11 @@ ktalk = base
 finger = base
 
 # Layer: services
-# Module: cron
+# Module: howl
 #
-# Periodic execution of scheduled commands.
+# Port of Apple Rendezvous multicast DNS
 # 
-cron = base
+howl = base
 
 # Layer: services
 # Module: tftp
@@ -332,11 +318,11 @@ cron = base
 tftp = base
 
 # Layer: services
-# Module: canna
+# Module: kerberos
 #
-# Canna - kana-kanji conversion server
+# MIT Kerberos admin and KDC
 # 
-canna = base
+kerberos = base
 
 # Layer: services
 # Module: gpm
@@ -346,11 +332,32 @@ canna = base
 gpm = off
 
 # Layer: services
-# Module: nscd
+# Module: uucp
 #
-# Name service cache daemon
+# Unix to Unix Copy
 # 
-nscd = base
+uucp = base
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+# 
+apache = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+# 
+inn = base
 
 # Layer: services
 # Module: sendmail
@@ -359,13 +366,6 @@ nscd = base
 # 
 sendmail = off
 
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-# 
-stunnel = base
-
 # Layer: services
 # Module: dbus
 #
@@ -374,25 +374,11 @@ stunnel = base
 dbus = base
 
 # Layer: services
-# Module: ftp
+# Module: rshd
 #
-# File transfer protocol service
+# Remote shell service.
 # 
-ftp = base
+rshd = base
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-# 
-dbskk = base
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-# 
-tcpd = base
 
 # Layer: services
 # Module: radvd
@@ -401,13 +387,6 @@ tcpd = base
 # 
 radvd = base
 
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-# 
-rshd = base
-
 # Layer: services
 # Module: sasl
 #
@@ -423,153 +402,11 @@ sasl = base
 postgresql = module
 
 # Layer: services
-# Module: ntp
+# Module: hal
 #
-# Network time protocol daemon
+# Hardware abstraction layer
 # 
-ntp = base
+hal = base
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-# 
-ldap = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-# 
-inetd = base
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-# 
-apache = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-# 
-squid = module
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS
-# 
-howl = base
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-# 
-dictd = base
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-# 
-kerberos = base
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-# 
-radius = base
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-# 
-uucp = base
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-# 
-nis = base
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-# 
-dhcp = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs for UNIX and
-# name  Service  Switch  daemon for resolving names
-# from Windows NT servers.
-# 
-samba = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-# 
-telnet = off
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-# 
-inn = base
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = off
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-# 
-networkmanager = base
-
-# Layer: services
-# Module: xdm
-#
-# X windows login display manager
-# 
-xdm = base
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-# 
-arpwatch = base
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-# 
-distcc = off
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-# 
-mta = base
 
 # Layer: services
 # Module: zebra
@@ -579,18 +416,11 @@ mta = base
 zebra = base
 
 # Layer: services
-# Module: hal
+# Module: ldap
 #
-# Hardware abstraction layer
+# OpenLDAP directory server
 # 
-hal = base
+ldap = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-# 
-cpucontrol = base
 
 # Layer: services
 # Module: mysql
@@ -599,13 +429,6 @@ cpucontrol = base
 # 
 mysql = module
 
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-# 
-cups = base
-
 # Layer: services
 # Module: bind
 #
@@ -621,11 +444,11 @@ bind = module
 snmp = module
 
 # Layer: services
-# Module: spamassassin
+# Module: squid
 #
-# Filter used for removing unsolicited email.
+# Squid caching http proxy server
 # 
-spamassassin = base
+squid = module
 
 # Layer: services
 # Module: mailman
@@ -635,11 +458,11 @@ spamassassin = base
 mailman = module
 
 # Layer: services
-# Module: lpd
+# Module: dictd
 #
-# Line printer daemon
+# Dictionary daemon
 # 
-lpd = base
+dictd = base
 
 # Layer: services
 # Module: privoxy
@@ -648,6 +471,20 @@ lpd = base
 # 
 privoxy = base
 
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = base
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+# 
+telnet = off
+
 # Layer: services
 # Module: comsat
 #
@@ -655,6 +492,13 @@ privoxy = base
 # 
 comsat = base
 
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = off
+
 # Layer: services
 # Module: cvs
 #
@@ -670,11 +514,11 @@ cvs = base
 ppp = base
 
 # Layer: services
-# Module: dovecot
+# Module: arpwatch
 #
-# Dovecot POP and IMAP mail server
+# Ethernet activity monitor.
 # 
-dovecot = base
+arpwatch = base
 
 # Layer: services
 # Module: bluetooth
@@ -683,6 +527,127 @@ dovecot = base
 # 
 bluetooth = base
 
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+# 
+apm = base
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+# 
+mta = base
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = base
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = base
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+# 
+distcc = off
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
+# 
+samba = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+# 
+cyrus = base
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+# 
+ftp = base
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = base
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+# 
+dovecot = base
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+# 
+rsync = base
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = base
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+# 
+cron = base
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+# 
+tcpd = base
+
+# Layer: services
+# Module: xdm
+#
+# X windows login display manager
+# 
+xdm = base
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = base
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+# 
+dbskk = base
+
 # Layer: services
 # Module: pegasus
 #
@@ -690,6 +655,34 @@ bluetooth = base
 # 
 pegasus = base
 
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+# 
+radius = base
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+# 
+spamassassin = base
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+# 
+postfix = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+# 
+cups = base
+
 # Layer: services
 # Module: rpc
 #
@@ -697,6 +690,13 @@ pegasus = base
 # 
 rpc = base
 
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+# 
+lpd = base
+
 # Layer: system
 # Module: unconfined
 #

refpolicy/policy/modules/services/dovecot.te

@@ -5,7 +5,7 @@ policy_module(dovecot,1.0)
 #
 # Declarations
 #
-type dovecot_t; #, privhome;
+type dovecot_t;
 type dovecot_exec_t;
 init_daemon_domain(dovecot_t,dovecot_exec_t)
 
@@ -111,6 +111,7 @@ sysnet_use_ldap(dovecot_auth_t)
 
 userdom_dontaudit_use_unpriv_user_fd(dovecot_t)
 userdom_dontaudit_search_sysadm_home_dir(dovecot_t)
+userdom_priveleged_home_dir_manager(dovecot_t)
 
 mta_append_spool(dovecot_t)
 

refpolicy/policy/modules/services/ftp.te

@@ -179,10 +179,10 @@ optional_policy(`cron.te',`
 ')
 
 optional_policy(`inetd.te',`
-	tunable_policy(`! ftpd_is_daemon',`
+	#reh: typeattributes not allowed in conditionals yet.
-		#reh: typeattributes not allowed in conditionals yet.
+	#tunable_policy(`! ftpd_is_daemon',`
-		#inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
+	#	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
-	')
+	#')
 
 	optional_policy(`tcpd.te',`
 		tunable_policy(`! ftpd_is_daemon',`

refpolicy/policy/modules/services/samba.te

@@ -54,7 +54,7 @@ domain_type(smbmount_t)
 type smbmount_exec_t;
 domain_entry_file(smbmount_t,smbmount_exec_t)
 
-type winbind_t; # privhome
+type winbind_t;
 type winbind_exec_t;
 init_daemon_domain(winbind_t,winbind_exec_t)
 
@@ -608,6 +608,7 @@ sysnet_dns_name_resolve(winbind_t)
 
 userdom_dontaudit_use_unpriv_user_fd(winbind_t)
 userdom_dontaudit_search_sysadm_home_dir(winbind_t)
+userdom_priveleged_home_dir_manager(winbind_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(winbind_t)

refpolicy/policy/modules/system/userdomain.if

@@ -2033,6 +2033,33 @@ interface(`userdom_manage_all_user_symlinks',`
 	allow $1 home_type:lnk_file create_lnk_perms;
 ')
 
+########################################
+## <summary>
+##	Make the specified domain a privileged
+##	home directory manager.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain a privileged
+##	home directory manager.  This domain will be
+##	able to manage the contents of all users
+##	general home directory content, and create
+##	files with the correct context.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_priveleged_home_dir_manager',`
+	gen_require(`
+		attribute privhome;
+	')
+
+	files_list_home($1)
+	typeattribute $1 privhome;
+')
+
 ########################################
 ## <summary>
 ##	Send general signals to unprivileged user domains.