diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 013f085a..7223e0ae 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -993,7 +993,7 @@ template(`admin_user_template',` # template(`userdom_search_user_home',` gen_require(` - class dir { getattr search }; + type $1_home_dir_t; ') files_search_home($2) @@ -1023,8 +1023,7 @@ template(`userdom_search_user_home',` # template(`userdom_read_user_home_files',` gen_require(` - class dir search; - class file r_file_perms; + type $1_home_dir_t, $1_home_t; ') files_search_home($2) @@ -1056,7 +1055,7 @@ template(`userdom_read_user_home_files',` # template(`userdom_exec_user_home_files',` gen_require(` - class dir search; + type $1_home_dir_t, $1_home_t; ') files_search_home($2) @@ -1090,8 +1089,7 @@ template(`userdom_exec_user_home_files',` # template(`userdom_manage_user_home_subdir_files',` gen_require(` - class dir rw_dir_perms; - class file create_file_perms; + type $1_home_dir_t, $1_home_t; ') files_search_home($2) @@ -1125,8 +1123,7 @@ template(`userdom_manage_user_home_subdir_files',` # template(`userdom_manage_user_home_subdir_symlinks',` gen_require(` - class dir rw_dir_perms; - class lnk_file create_lnk_perms; + type $1_home_dir_t, $1_home_t; ') files_search_home($2) @@ -1160,8 +1157,7 @@ template(`userdom_manage_user_home_subdir_symlinks',` # template(`userdom_manage_user_home_subdir_pipes',` gen_require(` - class dir rw_dir_perms; - class fifo_file create_file_perms; + type $1_home_dir_t, $1_home_t; ') files_search_home($2) @@ -1195,8 +1191,7 @@ template(`userdom_manage_user_home_subdir_pipes',` # template(`userdom_manage_user_home_subdir_sockets',` gen_require(` - class dir rw_dir_perms; - class sock_file create_file_perms; + type $1_home_dir_t, $1_home_t; ') files_search_home($2) @@ -1233,7 +1228,7 @@ template(`userdom_manage_user_home_subdir_sockets',` # template(`userdom_create_user_home',` gen_require(` - class dir rw_dir_perms; + type $1_home_dir_t, $1_home_t; ') files_search_home($2) @@ -1272,7 +1267,7 @@ template(`userdom_create_user_home',` # template(`userdom_manage_user_tmp_dirs',` gen_require(` - class dir create_dir_perms; + type $1_tmp_t; ') files_search_tmp($2) @@ -1304,8 +1299,7 @@ template(`userdom_manage_user_tmp_dirs',` # template(`userdom_manage_user_tmp_files',` gen_require(` - class dir rw_dir_perms; - class file create_file_perms; + type $1_tmp_t; ') files_search_tmp($2) @@ -1338,8 +1332,7 @@ template(`userdom_manage_user_tmp_files',` # template(`userdom_manage_user_tmp_symlinks',` gen_require(` - class dir rw_dir_perms; - class lnk_file create_lnk_perms; + type $1_tmp_t; ') files_search_tmp($2) @@ -1372,8 +1365,7 @@ template(`userdom_manage_user_tmp_symlinks',` # template(`userdom_manage_user_tmp_pipes',` gen_require(` - class dir rw_dir_perms; - class fifo_file create_file_perms; + type $1_tmp_t; ') files_search_tmp($2) @@ -1406,8 +1398,7 @@ template(`userdom_manage_user_tmp_pipes',` # template(`userdom_manage_user_tmp_sockets',` gen_require(` - class dir rw_dir_perms; - class sock_file create_file_perms; + type $1_tmp_t; ') files_search_tmp($2) @@ -1438,7 +1429,7 @@ template(`userdom_manage_user_tmp_sockets',` # template(`userdom_use_user_terminals',` gen_require(` - class chr_file rw_term_perms; + type $1_tty_device_t, $1_devpts_t; ') allow $2 $1_tty_device_t:chr_file rw_term_perms; @@ -1497,9 +1488,6 @@ interface(`userdom_shell_domtrans_sysadm',` ',` gen_require(` type sysadm_t; - class fd use; - class fifo_file rw_file_perms; - class process sigchld; ') corecmd_shell_domtrans($1,sysadm_t) @@ -1522,7 +1510,6 @@ interface(`userdom_shell_domtrans_sysadm',` interface(`userdom_search_staff_home_dir',` gen_require(` type staff_home_dir_t; - class dir search; ') files_search_home($1) @@ -1541,7 +1528,6 @@ interface(`userdom_search_staff_home_dir',` interface(`userdom_dontaudit_search_staff_home_dir',` gen_require(` type staff_home_dir_t; - class dir search; ') dontaudit $1 staff_home_dir_t:dir search; @@ -1558,9 +1544,6 @@ interface(`userdom_dontaudit_search_staff_home_dir',` interface(`userdom_read_staff_home_files',` gen_require(` type staff_home_dir_t, staff_home_t; - class dir r_dir_perms; - class file r_file_perms; - class lnk_file r_file_perms; ') files_search_home($1) @@ -1598,7 +1581,6 @@ interface(`userdom_use_sysadm_tty',` ',` gen_require(` type sysadm_tty_device_t; - class chr_file rw_term_perms; ') dev_list_all_dev_nodes($1) @@ -1621,7 +1603,6 @@ interface(`userdom_dontaudit_use_sysadm_tty',` ',` gen_require(` type sysadm_tty_device_t; - class chr_file { read write }; ') dontaudit $1 sysadm_tty_device_t:chr_file { read write }; @@ -1642,7 +1623,6 @@ interface(`userdom_use_sysadm_pty',` ',` gen_require(` type sysadm_devpts_t; - class chr_file rw_term_perms; ') dev_list_all_dev_nodes($1) @@ -1698,7 +1678,6 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ',` gen_require(` attribute admin_terminal; - class chr_file { read write }; ') dontaudit $1 admin_terminal:chr_file { read write }; @@ -1720,7 +1699,6 @@ interface(`userdom_use_sysadm_fd',` ',` gen_require(` type sysadm_t; - class fd use; ') allow $1 sysadm_t:fd use; @@ -1742,7 +1720,6 @@ interface(`userdom_rw_sysadm_pipe',` ',` gen_require(` type sysadm_t; - class fifo_file rw_file_perms; ') allow $1 sysadm_t:fifo_file rw_file_perms; @@ -1794,7 +1771,6 @@ interface(`userdom_search_sysadm_home_dir',` interface(`userdom_dontaudit_search_sysadm_home_dir',` gen_require(` type sysadm_home_dir_t; - class dir search; ') dontaudit $1 sysadm_home_dir_t:dir search; @@ -1812,7 +1788,6 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',` interface(`userdom_dontaudit_list_sysadm_home_dir',` gen_require(` type sysadm_home_dir_t; - class dir r_dir_perms; ') dontaudit $1 sysadm_home_dir_t:dir r_dir_perms; @@ -1829,9 +1804,6 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',` interface(`userdom_read_sysadm_home_files',` gen_require(` type sysadm_home_dir_t, sysadm_home_t; - class dir r_dir_perms; - class file r_file_perms; - class lnk_file r_file_perms; ') files_search_home($1) @@ -1850,7 +1822,6 @@ interface(`userdom_read_sysadm_home_files',` interface(`userdom_search_all_users_home',` gen_require(` attribute home_dir_type, home_type; - class dir search; ') files_list_home($1) @@ -1868,7 +1839,6 @@ interface(`userdom_search_all_users_home',` interface(`userdom_dontaudit_search_all_users_home',` gen_require(` attribute home_dir_type, home_type; - class dir search; ') dontaudit $1 { home_dir_type home_type }:dir search; @@ -1885,8 +1855,6 @@ interface(`userdom_dontaudit_search_all_users_home',` interface(`userdom_read_all_user_files',` gen_require(` attribute home_type; - class dir r_dir_perms; - class file r_file_perms; ') files_list_home($1) @@ -1961,7 +1929,6 @@ interface(`userdom_manage_all_user_symlinks',` interface(`userdom_signal_unpriv_users',` gen_require(` attribute unpriv_userdomain; - class process signal; ') allow $1 unpriv_userdomain:process signal; @@ -1978,7 +1945,6 @@ interface(`userdom_signal_unpriv_users',` interface(`userdom_use_unpriv_users_fd',` gen_require(` attribute unpriv_userdomain; - class fd use; ') allow $1 unpriv_userdomain:fd use; @@ -1996,7 +1962,6 @@ interface(`userdom_use_unpriv_users_fd',` interface(`userdom_dontaudit_use_unpriv_user_fd',` gen_require(` attribute unpriv_userdomain; - class fd use; ') dontaudit $1 unpriv_userdomain:fd use; @@ -2031,7 +1996,6 @@ interface(`userdom_create_user_home_dir',` interface(`userdom_manage_user_home_dir',` gen_require(` type user_home_dir_t; - class dir create_dir_perms; ') allow $1 user_home_dir_t:dir create_dir_perms; @@ -2053,7 +2017,6 @@ interface(`userdom_manage_user_home_dir',` interface(`userdom_create_user_home',` gen_require(` type user_home_dir_t, user_home_t; - class dir rw_dir_perms; ') allow $1 user_home_dir_t:dir rw_dir_perms; @@ -2075,7 +2038,6 @@ interface(`userdom_create_user_home',` interface(`userdom_dontaudit_search_user_home_dirs',` gen_require(` type user_home_t; - class dir search; ') dontaudit $1 user_home_t:dir search; @@ -2094,7 +2056,6 @@ interface(`userdom_dontaudit_search_user_home_dirs',` interface(`userdom_manage_user_home_dirs',` gen_require(` type user_home_t; - class dir create_dir_perms; ') allow $1 user_home_t:dir create_dir_perms; @@ -2112,8 +2073,6 @@ interface(`userdom_manage_user_home_dirs',` interface(`userdom_manage_user_home_files',` gen_require(` type user_home_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 user_home_t:dir rw_dir_perms; @@ -2132,8 +2091,6 @@ interface(`userdom_manage_user_home_files',` interface(`userdom_manage_user_home_symlinks',` gen_require(` type user_home_t; - class dir rw_dir_perms; - class lnk_file create_lnk_perms; ') allow $1 user_home_t:dir rw_dir_perms; @@ -2152,8 +2109,6 @@ interface(`userdom_manage_user_home_symlinks',` interface(`userdom_manage_user_home_pipes',` gen_require(` type user_home_t; - class dir rw_dir_perms; - class fifo_file create_file_perms; ') allow $1 user_home_t:dir rw_dir_perms; @@ -2172,8 +2127,6 @@ interface(`userdom_manage_user_home_pipes',` interface(`userdom_manage_user_home_sockets',` gen_require(` type user_home_t; - class dir rw_dir_perms; - class sock_file create_file_perms; ') allow $1 user_home_t:dir rw_dir_perms; @@ -2207,7 +2160,7 @@ interface(`userdom_search_unpriv_user_home_dirs',` # interface(`userdom_read_unpriv_user_home_files',` gen_require(` - type user_home_dir_type, user_home_type; + attribute user_home_dir_type, user_home_type; ') allow $1 user_home_dir_type:dir search; @@ -2225,7 +2178,6 @@ interface(`userdom_read_unpriv_user_home_files',` interface(`userdom_write_unpriv_user_tmp',` gen_require(` attribute user_tmpfile; - class file { getattr write append }; ') allow $1 user_tmpfile:file { getattr write append }; @@ -2243,7 +2195,6 @@ interface(`userdom_write_unpriv_user_tmp',` interface(`userdom_dontaudit_use_unpriv_user_tty',` gen_require(` attribute user_ttynode; - class chr_file rw_file_perms; ') dontaudit $1 user_ttynode:chr_file rw_file_perms; @@ -2260,7 +2211,6 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',` interface(`userdom_use_all_user_fd',` gen_require(` attribute userdomain; - class fd use; ') allow $1 userdomain:fd use; @@ -2278,7 +2228,6 @@ interface(`userdom_use_all_user_fd',` interface(`userdom_dontaudit_use_all_user_fd',` gen_require(` attribute userdomain; - class fd use; ') dontaudit $1 userdomain:fd use; @@ -2295,7 +2244,6 @@ interface(`userdom_dontaudit_use_all_user_fd',` interface(`userdom_signal_all_users',` gen_require(` attribute userdomain; - class process signal; ') allow $1 userdomain:process signal; @@ -2312,7 +2260,6 @@ interface(`userdom_signal_all_users',` interface(`userdom_sigcld_all_users',` gen_require(` attribute userdomain; - class process sigchld; ') allow $1 userdomain:process sigchld; @@ -2329,7 +2276,6 @@ interface(`userdom_sigcld_all_users',` interface(`userdom_unconfined',` gen_require(` type user_home_dir_t; - class dir create_dir_perms; ') allow $1 user_home_dir_t:dir create_dir_perms;