From 9417cb7ad14c4534d602139e51a70f77976de8b6 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 3 Feb 2006 16:13:15 +0000
Subject: [PATCH] clean up userdom_create_user_home()

---
 refpolicy/policy/modules/apps/irc.if          |   2 +-
 refpolicy/policy/modules/apps/java.if         |   2 +-
 refpolicy/policy/modules/services/cron.if     |   2 +-
 refpolicy/policy/modules/services/cron.te     |   2 +-
 refpolicy/policy/modules/services/ftp.if      |   6 +-
 refpolicy/policy/modules/services/ftp.te      |   2 +-
 refpolicy/policy/modules/services/mta.if      |  19 ++-
 refpolicy/policy/modules/services/mta.te      |   2 +-
 refpolicy/policy/modules/services/samba.if    |   6 +-
 .../policy/modules/services/spamassassin.if   |  13 +-
 refpolicy/policy/modules/system/userdomain.if | 111 ++++++++----------
 11 files changed, 69 insertions(+), 98 deletions(-)

diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
index 5ad06613..3d604ad6 100644
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@@ -65,7 +65,7 @@ template(`irc_per_userdomain_template',`
 	allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
 	allow $1_irc_t $1_irc_home_t:file create_file_perms;
 	allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
-	userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
+	userdom_filetrans_user_home_dir($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
 
 	# access files under /tmp
 	allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index b390cb4f..e99d5385 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -126,12 +126,12 @@ template(`java_per_userdomain_template',`
 	userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
 	userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t)
 	userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t)
-	userdom_create_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file },$1_home_t)
 	userdom_manage_user_home_subdirs($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_files($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_symlinks($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_pipes($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_sockets($1,$1_javaplugin_t)
+	userdom_filetrans_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
 
 	# libdeploy.so legacy
 	tunable_policy(`allow_execmem',`
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 66caebb3..fa0d30cf 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -142,7 +142,7 @@ template(`cron_per_userdomain_template',`
 	userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
 	userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
 	userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
-#	userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
+#	userdom_filetrans_user_home($1,$1_crond_t,notdevfile_class_set)
 
 	tunable_policy(`fcron_crond', `
 		allow crond_t $1_cron_spool_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 743dae15..75a112d3 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -159,7 +159,7 @@ ifdef(`targeted_policy',`
 	userdom_manage_user_home_subdir_symlinks(user,crond_t)
 	userdom_manage_user_home_subdir_pipes(user,crond_t)
 	userdom_manage_user_home_subdir_sockets(user,crond_t)
-	userdom_create_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
+	userdom_filetrans_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
 
 	allow crond_t unconfined_t:dbus send_msg;
 	allow crond_t initrc_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if
index bf1c3dd5..ccd4b4d0 100644
--- a/refpolicy/policy/modules/services/ftp.if
+++ b/refpolicy/policy/modules/services/ftp.if
@@ -22,16 +22,12 @@
 ## </param>
 #
 template(`ftp_per_userdomain_template',`
-	gen_require(`
-		type ftpd_t;
-	')
-
 	tunable_policy(`ftpd_is_daemon',`
 		userdom_manage_user_home_subdir_files($1,ftpd_t)
 		userdom_manage_user_home_subdir_symlinks($1,ftpd_t)
 		userdom_manage_user_home_subdir_sockets($1,ftpd_t)
 		userdom_manage_user_home_subdir_pipes($1,ftpd_t)
-		userdom_create_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+		userdom_filetrans_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
 	')
 ')
 
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 7ffe9f60..a4bf5d92 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -142,7 +142,7 @@ ifdef(`targeted_policy',`
 			userdom_manage_user_home_subdir_symlinks(user,ftpd_t)
 			userdom_manage_user_home_subdir_sockets(user,ftpd_t)
 			userdom_manage_user_home_subdir_pipes(user,ftpd_t)
-			userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+			userdom_filetrans_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
 		')
 	')
 ')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 5e1384eb..1b0eeaad 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -36,11 +36,6 @@ interface(`mta_stub',`
 #
 template(`mta_base_mail_template',`
 
-	gen_require(`
-		attribute user_mail_domain;
-		type sendmail_exec_t;
-	')
-
 	##############################
 	#
 	# $1_mail_t declarations
@@ -175,11 +170,11 @@ template(`mta_base_mail_template',`
 ## </param>
 #
 template(`mta_per_userdomain_template',`
-	gen_require(`
-		attribute mailserver_domain, mta_user_agent;
-		attribute mailserver_delivery, user_mail_domain;
-		type sendmail_exec_t;
-	')
+
+	##############################
+	#
+	# Declarations
+	#
 
 	mta_base_mail_template($1)
 	role $3 types $1_mail_t;
@@ -210,7 +205,7 @@ template(`mta_per_userdomain_template',`
 	userdom_use_user_terminals($1,mta_user_agent)
 	# Create dead.letter in user home directories.
 	userdom_manage_user_home_subdir_files($1,$1_mail_t)
-	userdom_create_user_home($1,$1_mail_t,file)
+	userdom_filetrans_user_home($1,$1_mail_t,file)
 	# for reading .forward - maybe we need a new type for it?
 	# also for delivering mail to maildir
 	userdom_manage_user_home_subdirs($1,mailserver_delivery)
@@ -218,7 +213,7 @@ template(`mta_per_userdomain_template',`
 	userdom_manage_user_home_subdir_symlinks($1,mailserver_delivery)
 	userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
 	userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
-	userdom_create_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+	userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
 
 	tunable_policy(`use_samba_home_dirs',`
 		fs_manage_cifs_files($1_mail_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 9bc6a3fb..64f5ed8b 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -79,7 +79,7 @@ ifdef(`targeted_policy',`
 	userdom_manage_user_home_subdir_symlinks(user,mailserver_delivery)
 	userdom_manage_user_home_subdir_pipes(user,mailserver_delivery)
 	userdom_manage_user_home_subdir_sockets(user,mailserver_delivery)
-	userdom_create_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+	userdom_filetrans_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
 
 # cjp: another require-in-else to resolve
 #	optional_policy(`postfix',`',`
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index 34a7cadd..be062909 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -26,16 +26,12 @@
 ## </param>
 #
 template(`samba_per_userdomain_template',`
-	gen_require(`
-		type smbd_t;
-	')
-
 	tunable_policy(`samba_enable_home_dirs',`
 		userdom_manage_user_home_subdir_files($1,smbd_t)
 		userdom_manage_user_home_subdir_symlinks($1,smbd_t)
 		userdom_manage_user_home_subdir_sockets($1,smbd_t)
 		userdom_manage_user_home_subdir_pipes($1,smbd_t)
-		userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+		userdom_filetrans_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
 	')
 ')
 
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
index 1d7aca63..db5a7921 100644
--- a/refpolicy/policy/modules/services/spamassassin.if
+++ b/refpolicy/policy/modules/services/spamassassin.if
@@ -28,10 +28,11 @@
 # cjp: when tunables are available, spamc stuff should be
 # toggled on activation of spamc, and similarly for spamd.
 template(`spamassassin_per_userdomain_template',`
-	gen_require(`
-		type spamd_t, spamd_tmp_t;
-		type spamc_exec_t, spamassassin_exec_t;
-	')
+
+	##############################
+	#
+	# Declarations
+	#
 
 	type $1_spamc_t;
 	domain_type($1_spamc_t)
@@ -194,7 +195,7 @@ template(`spamassassin_per_userdomain_template',`
 	allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
 	allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms;
 	allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms;
-	userdom_create_user_home($1,$1_spamassassin_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t)
+	userdom_filetrans_user_home_dir($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
 
 	allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms;
 	allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms;
@@ -215,7 +216,7 @@ template(`spamassassin_per_userdomain_template',`
 	allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
 	allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms;
 	allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms;
-	userdom_create_user_home($1,spamd_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t)
+	userdom_filetrans_user_home_dir($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
 
 	kernel_read_kernel_sysctls($1_spamassassin_t)
 
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3212b7d7..9e86216a 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1569,68 +1569,15 @@ template(`userdom_manage_user_home_subdir_sockets',`
 
 ########################################
 ## <summary>
-##	
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Create, read, write, and delete named sockets
-##	in a user home subdirectory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-## </param>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="object_class" optional="true">
-##	The class of the object to be created.  If not
-##	specified, file is used.
-## </param>
-## <param name="private_type" optional="true">
-##	The type of the object to create.  If this is
-##	not specified, the regular home directory
-##	type is used.
-## </param>
-#
-template(`userdom_create_user_home',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-
-	allow $2 $1_home_dir_t:dir rw_dir_perms;
-
-	ifelse(`$4',`',`
-		ifelse(`$3',`',`
-			type_transition $2 $1_home_dir_t:file $1_home_t;
-		',`
-			type_transition $2 $1_home_dir_t:$3 $1_home_t;
-		')
-	',`
-		ifelse(`$3',`',`
-			type_transition $2 $1_home_dir_t:file $4;
-		',`
-			type_transition $2 $1_home_dir_t:$3 $4;
-		')
-	')
-')
-
-########################################
-## <summary>
-##	Create objects in a user home directory with
-##	a type transition to a specified type.
-## </summary>
-## <desc>
-##	<p>
-##	Create objects in a user home directory with
-##	a type transition to a specified type.
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
 ##	</p>
 ##	<p>
 ##	This is a templated interface, and should only
@@ -1645,9 +1592,7 @@ template(`userdom_create_user_home',`
 ##	Domain allowed access.
 ## </param>
 ## <param name="private_type">
-##	The type of the object to create.  If this is
-##	not specified, the regular home directory
-##	type is used.
+##	The type of the object to create.
 ## </param>
 ## <param name="object_class">
 ##	The class of the object to be created.  If not
@@ -1655,14 +1600,52 @@ template(`userdom_create_user_home',`
 ## </param>
 #
 template(`userdom_filetrans_user_home_dir',`
+	gen_require(`
+		type $1_home_dir_t;
+	')
+
+	files_search_home($2)
+	allow $2 $1_home_dir_t:dir rw_dir_perms;
+	type_transition $2 $1_home_dir_t:$4 $3;
+')
+
+########################################
+## <summary>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the user home file type.
+## </summary>
+## <desc>
+##	<p>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the user home file type.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="object_class">
+##	The class of the object to be created.  If not
+##	specified, file is used.
+## </param>
+#
+template(`userdom_filetrans_user_home',`
 	gen_require(`
 		type $1_home_dir_t, $1_home_t;
 	')
 
 	files_search_home($2)
 	allow $2 $1_home_dir_t:dir rw_dir_perms;
-
-	type_transition $2 $1_home_dir_t:$4 $3;
+	type_transition $2 $1_home_dir_t:$3 $1_home_t;
 ')
 
 ########################################