diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 32514ee..91a6a37 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -154,7 +154,7 @@ modutils_domtrans_insmod(bootloader_t) seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) -userdom_getattr_user_tmpfs_files(bootloader_t) +userdom_getattr_user_tmp_files(bootloader_t) userdom_use_inherited_user_terminals(bootloader_t) userdom_dontaudit_search_user_home_dirs(bootloader_t) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 337a00e..87c6145 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5199,6 +5199,7 @@ interface(`files_search_tmp',` type tmp_t; ') + fs_search_tmpfs($1) read_lnk_files_pattern($1, tmp_t, tmp_t) allow $1 tmp_t:dir search_dir_perms; ') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index a3fe7f6..13a745c 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -33,7 +33,6 @@ gen_tunable(unconfined_login, true) userdom_base_user_template(unconfined) userdom_manage_home_role(unconfined_r, unconfined_t) userdom_manage_tmp_role(unconfined_r, unconfined_t) -userdom_manage_tmpfs_role(unconfined_r, unconfined_t) userdom_unpriv_type(unconfined_t) type unconfined_exec_t; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index e8dcfa7..eb9cefe 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -219,8 +219,9 @@ template(`ssh_server_template',` allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; term_create_pty($1_t, $1_devpts_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) + #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) + userdom_manage_tmp_role(system_r, sshd_t) allow $1_t $1_var_run_t:file manage_file_perms; files_pid_filetrans($1_t, $1_var_run_t, file) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index a8b01bf..fc87b9e 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -89,7 +89,7 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) type ssh_tmpfs_t; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; -userdom_user_tmpfs_file(ssh_tmpfs_t) +userdom_user_tmp_file(ssh_tmpfs_t) type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; @@ -127,7 +127,7 @@ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -292,7 +292,7 @@ auth_exec_login_program(sshd_t) userdom_read_user_home_content_files(sshd_t) userdom_read_user_home_content_symlinks(sshd_t) -userdom_manage_tmp_role(system_r, sshd_t) +#userdom_manage_tmp_role(system_r, sshd_t) userdom_spec_domtrans_unpriv_users(sshd_t) userdom_signal_unpriv_users(sshd_t) userdom_dyntransition_unpriv_users(sshd_t) diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 4dda124..4eee56a 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -76,10 +76,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) # /tmp # -/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) # # /usr diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index bf98136..2469c27 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -220,7 +220,7 @@ interface(`xserver_non_drawing_client',` interface(`xserver_user_client',` refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') @@ -235,8 +235,8 @@ interface(`xserver_user_client',` # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:sock_file { read write }; + userdom_search_user_tmp_dirs($1) + userdom_rw_user_tmp_sock_files($1) dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. @@ -395,7 +395,7 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` - type xdm_t, xdm_tmp_t, xserver_tmpfs_t; + type xdm_t, xserver_tmpfs_t; type xdm_home_t; type xauth_home_t, iceauth_home_t, xserver_t; ') @@ -413,8 +413,8 @@ template(`xserver_user_x_domain_template',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; + userdom_search_user_tmp_dirs($2) + userdom_rw_user_tmp_sock_files($2) dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. @@ -429,7 +429,7 @@ template(`xserver_user_x_domain_template',` xserver_ro_session($2, $3) xserver_use_user_fonts($2) - xserver_read_xdm_tmp_files($2) + userdom_read_user_tmp_files($2) xserver_read_xdm_pid($2) xserver_xdm_append_log($2) @@ -817,12 +817,13 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xdm_tmp_t, xdm_var_run_t; + type xdm_t, xdm_var_run_t; ') files_search_tmp($1) files_search_pids($1) - stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) + stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) + userdom_stream_connect($1) ') ######################################## @@ -934,12 +935,8 @@ interface(`xserver_read_xdm_rw_config',` ## # interface(`xserver_search_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - allow $1 xdm_tmp_t:dir search_dir_perms; + refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') + userdom_search_user_tmp_dirs($1) ') ######################################## @@ -953,11 +950,8 @@ interface(`xserver_search_xdm_tmp_dirs',` ## # interface(`xserver_setattr_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir setattr_dir_perms; + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') + userdom_dontaudit_setattr_user_tmp($1) ') ######################################## @@ -971,11 +965,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',` ## # interface(`xserver_dontaudit_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - - dontaudit $1 xdm_tmp_t:dir setattr_dir_perms; + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') + userdom_dontaudit_setattr_user_tmp($1) ') ######################################## @@ -990,13 +981,8 @@ interface(`xserver_dontaudit_xdm_tmp_dirs',` ## # interface(`xserver_create_xdm_tmp_sockets',` - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') + userdom_create_user_tmp_sockets($1) ') ######################################## @@ -1317,12 +1303,8 @@ interface(`xserver_manage_xdm_etc_files',` ## # interface(`xserver_read_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.') + userdom_read_user_tmpfs_files($1) ') ######################################## @@ -1336,12 +1318,8 @@ interface(`xserver_read_xdm_tmp_files',` ## # interface(`xserver_dontaudit_read_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - dontaudit $1 xdm_tmp_t:dir search_dir_perms; - dontaudit $1 xdm_tmp_t:file read_file_perms; + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.') + userdom_dontaudit_read_user_tmp_files($1) ') ######################################## @@ -1355,12 +1333,8 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',` ## # interface(`xserver_rw_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:file rw_file_perms; + refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.') + userdom_rw_user_tmpfs_files($1) ') ######################################## @@ -1374,11 +1348,8 @@ interface(`xserver_rw_xdm_tmp_files',` ## # interface(`xserver_manage_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.') + userdom_manage_user_tmp_files($1) ') ######################################## @@ -1392,11 +1363,8 @@ interface(`xserver_manage_xdm_tmp_files',` ## # interface(`xserver_relabel_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir relabel_dir_perms; + refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.') + userdom_relabel_user_tmp_dirs($1) ') ######################################## @@ -1410,11 +1378,8 @@ interface(`xserver_relabel_xdm_tmp_dirs',` ## # interface(`xserver_manage_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - - manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.') + userdom_manage_user_tmp_dirs($1) ') ######################################## @@ -1429,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_dirs',` ## # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` - gen_require(` - type xdm_tmp_t; - ') - - dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; + refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.') + usedom_dontaudit_user_getattr_tmp_sockets($1) ') ######################################## @@ -1946,11 +1908,8 @@ interface(`xserver_xdm_ioctl_log',` ## # interface(`xserver_append_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:file append_inherited_file_perms; + refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.') + userdom_append_user_tmp_files($1) ') ######################################## @@ -2296,12 +2255,8 @@ interface(`xserver_filetrans_admin_home_content',` ## # interface(`xserver_xdm_tmp_filetrans',` - gen_require(` - type xdm_tmp_t; - ') - - filetrans_pattern($1, xdm_tmp_t, $2, $3, $4) - files_search_tmp($1) + refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.') + userdom_user_tmp_filetrans($1,$2, $3, $4) ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index f0e5cc0..e3f28af 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -231,12 +231,6 @@ files_type(xserver_var_lib_t) type xserver_var_run_t; files_pid_file(xserver_var_run_t) -type xdm_tmp_t; -files_tmp_file(xdm_tmp_t) -typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; -typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -userdom_user_tmp_file(xserver_tmp_t) - type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) @@ -264,7 +258,7 @@ files_config_file(xserver_etc_t) type xserver_tmpfs_t; typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; -userdom_user_tmpfs_file(xserver_tmpfs_t) +userdom_user_tmp_file(xserver_tmpfs_t) type xsession_exec_t; corecmd_executable_file(xsession_exec_t) @@ -470,14 +464,8 @@ read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) -manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) -relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -can_exec(xdm_t, xdm_tmp_t) +userdom_manage_all_user_tmp_content(xdm_t) +userdom_exec_user_tmp_files(xdm_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) @@ -697,7 +685,7 @@ userdom_stream_connect(xdm_t) userdom_manage_user_tmp_dirs(xdm_t) userdom_manage_user_tmp_files(xdm_t) userdom_manage_user_tmp_sockets(xdm_t) -userdom_manage_tmpfs_role(system_r, xdm_t) +userdom_manage_tmp_role(system_r, xdm_t) #userdom_home_manager(xdm_t) tunable_policy(`xdm_write_home',` @@ -1349,9 +1337,8 @@ dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. -manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +userdom_manage_user_tmp_files(xserver_t) +userdom_manage_user_tmp_sockets(xserver_t) # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; @@ -1591,7 +1578,6 @@ manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t) allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms; -dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms; files_search_tmp(x_userdomain) # Communicate via System V shared memory. @@ -1618,10 +1604,9 @@ allow x_userdomain xauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow x_userdomain xdm_t:fd use; allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms; -allow x_userdomain xdm_tmp_t:dir search_dir_perms; -allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms; +userdom_search_user_tmp_dirs(x_userdomain) +userdom_rw_user_tmp_sock_files(x_userdomain) dontaudit x_userdomain xdm_t:tcp_socket { read write }; -dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms; allow x_userdomain xdm_t:dbus send_msg; allow xdm_t x_userdomain:dbus send_msg; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 1259fbd..5e66714 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -553,7 +553,7 @@ logging_manage_all_logs(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_search_user_home_dirs(syslogd_t) -userdom_rw_inherited_user_tmpfs_files(syslogd_t) +userdom_rw_inherited_user_tmp_files(syslogd_t) ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 00b82b3..9933cad 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -413,7 +413,7 @@ allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file }) -userdom_rw_user_tmpfs_files(mount_ecryptfs_t) +userdom_rw_user_tmp_files(mount_ecryptfs_t) domain_use_interactive_fds(mount_ecryptfs_t) diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index 4ca3a28..8f5380f 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -21,6 +21,12 @@ HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0) +/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) + + + /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) /tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 102478f..4f42aa5 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -420,6 +420,7 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) relabel_files_pattern($2, user_tmp_type, user_tmp_type) relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) @@ -427,8 +428,6 @@ interface(`userdom_manage_tmp_role',` relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) ') - - ####################################### ## ## Dontaudit search of user bin dirs. @@ -534,24 +533,8 @@ interface(`userdom_manage_tmpfs_files',` ## # interface(`userdom_manage_tmpfs_role',` - gen_require(` - attribute user_tmpfs_type; - type user_tmpfs_t; - ') - - role $1 types user_tmpfs_t; - - manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) + refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.') + userdom_manage_tmp_role($1,$2) ') ####################################### @@ -994,7 +977,6 @@ template(`userdom_login_user_template', ` userdom_manage_home_role($1_r, $1_t) userdom_manage_tmp_role($1_r, $1_usertype) - userdom_manage_tmpfs_role($1_r, $1_usertype) ifelse(`$1',`unconfined',`',` gen_tunable($1_exec_content, true) @@ -1839,8 +1821,8 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` - files_tmpfs_file($1) - ubac_constrained($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.') + userdom_user_tmp_file($1) ') ######################################## @@ -1878,14 +1860,8 @@ interface(`userdom_user_tmp_content',` ## # interface(`userdom_user_tmpfs_content',` - gen_require(` - attribute user_tmpfs_type; - ') - - typeattribute $1 user_tmpfs_type; - - files_tmpfs_file($1) - ubac_constrained($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.') + userdom_user_tmp_content($1) ') ######################################## @@ -2400,6 +2376,43 @@ interface(`userdom_setattr_user_tmp_files',` ######################################## ## +## Create a user tmp sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_create_user_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + + files_search_tmp($1) + allow $1 user_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## +## Dontaudit getattr on user tmp sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms; +') + +######################################## +## ## Relabel user tmp files. ## ## @@ -2416,6 +2429,26 @@ interface(`userdom_relabel_user_tmp_files',` allow $1 user_tmp_t:file relabel_file_perms; ') + +######################################## +## +## Relabel user tmp files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_relabel_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:dir relabel_dir_perms; +') + ######################################## ## ## Do not audit attempts to set the @@ -3068,6 +3101,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # +interface(`userdom_getattr_user_tmp_files',` + gen_require(` + attribute user_tmp_type; + ') + + getattr_files_pattern($1, user_tmp_type, user_tmp_type) + files_search_tmp($1) +') + +######################################## +## +## Read user temporary files. +## +## +## +## Domain allowed access. +## +## +# interface(`userdom_read_user_tmp_files',` gen_require(` attribute user_tmp_type; @@ -3080,6 +3132,23 @@ interface(`userdom_read_user_tmp_files',` ######################################## ## +## Read user temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_append_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + allow $1 user_tmp_t:file append_inherited_file_perms; +') + +######################################## +## ## Do not audit attempts to read users ## temporary files. ## @@ -3135,6 +3204,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') +######################################## +## +## Read and write user temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_user_tmp_sock_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:dir list_dir_perms; + allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms; + files_search_tmp($1) +') ######################################## ## @@ -3372,12 +3460,8 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_getattr_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - fs_search_tmpfs($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) ') ######################################## @@ -3391,14 +3475,8 @@ interface(`userdom_getattr_user_tmpfs_files',` ## # interface(`userdom_read_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.') + userdom_read_user_tmp_files($1) ') ######################################## @@ -3412,14 +3490,8 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') + userdom_rw_user_tmp_files($1) ') ######################################## @@ -3433,11 +3505,8 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_rw_inherited_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - allow $1 user_tmpfs_t:file rw_inherited_file_perms; + refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.') + userdom_rw_inherited_user_tmp_files($1) ') ######################################## @@ -3451,11 +3520,26 @@ interface(`userdom_rw_inherited_user_tmpfs_files',` ## # interface(`userdom_execute_user_tmpfs_files',` + refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.') + userdom_execute_user_tmp_files($1) +') + +######################################## +## +## Execute user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_execute_user_tmp_files',` gen_require(` - type user_tmpfs_t; + type user_tmp_t; ') - allow $1 user_tmpfs_t:file execute; + allow $1 user_tmp_t:file execute; ') ######################################## @@ -5208,16 +5292,8 @@ interface(`userdom_list_all_user_tmp_content',` ## # interface(`userdom_manage_all_user_tmpfs_content',` - gen_require(` - attribute user_tmpfs_type; - ') - - manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) - manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) - manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) - manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) - manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) - fs_search_tmpfs($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') + userdom_manage_all_user_tmp_content($1) ') ######################################## @@ -5431,11 +5507,8 @@ interface(`userdom_dontaudit_setattr_user_tmp',` ## # interface(`userdom_dontaudit_setattr_user_tmpfs',` - gen_require(` - type user_tmpfs_t; - ') - - dontaudit $1 user_tmpfs_t:file setattr; + refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.') + userdom_dontaudit_setattr_user_tmp($1) ') ######################################## @@ -5539,11 +5612,8 @@ interface(`userdom_delete_user_tmp_files',` ## # interface(`userdom_delete_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - allow $1 user_tmpfs_t:file delete_file_perms; + refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.') + userdom_delete_user_tmpfs_files($1) ') ######################################## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 7283238..6cc7d53 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -97,19 +97,18 @@ dev_node(user_devpts_t) files_type(user_devpts_t) ubac_constrained(user_devpts_t) -type user_tmp_t, user_tmp_type; +type user_tmp_t, user_tmp_type, user_tmpfs_type; typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; +typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; +typealias user_tmp_t alias xdm_tmp_t; +typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; files_tmp_file(user_tmp_t) +files_tmpfs_file(user_tmp_t) userdom_user_home_content(user_tmp_t) files_poly_parent(user_tmp_t) files_mountpoint(user_tmp_t) -type user_tmpfs_t, user_tmpfs_type; -typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; -files_tmpfs_file(user_tmpfs_t) -userdom_user_home_content(user_tmpfs_t) - type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t)