* [refpolicy] [ Simplify user content patch 1/7] user home content.
@ 2010-07-08 15:30 Dominick Grift
0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2010-07-08 15:30 UTC (permalink / raw)
To: refpolicy
Declare attribute user_home_type for userdom_user_home_content.
Modify userdom_user_home_content() to include:
- files_poly_member
- attribute user_home_type
Remove redundant files_poly_member() calls in the various modules.
Remove userdom_user_home_content calls for user_tmp_t, user_tmpfs_t: its not userdom_user_home_content but userdom_user_tmp_content and userdom_user_tmpfs_content respectively.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 db570f6... f294491... M policy/modules/apps/evolution.te
:100644 100644 4204eec... 5bb9e30... M policy/modules/apps/gift.te
:100644 100644 62631ec... ebcd681... M policy/modules/apps/mozilla.te
:100644 100644 da32014... 82c4a54... M policy/modules/apps/mplayer.te
:100644 100644 c4e581e... 6f08115... M policy/modules/apps/thunderbird.te
:100644 100644 acc7244... d736572... M policy/modules/apps/tvtime.te
:100644 100644 3c43106... 31bbf17... M policy/modules/apps/wireshark.te
:100644 100644 7629cf8... e4ecbbd... M policy/modules/services/razor.te
:100644 100644 438dab7... b6a8919... M policy/modules/services/spamassassin.te
:100644 100644 2dad3c8... 5d3b416... M policy/modules/services/ssh.te
:100644 100644 4566008... d2b2626... M policy/modules/services/xserver.te
:100644 100644 c7c83c4... d5cf579... M policy/modules/system/userdomain.if
:100644 100644 69b2e0f... 11bba0d... M policy/modules/system/userdomain.te
policy/modules/apps/evolution.te | 1 -
policy/modules/apps/gift.te | 1 -
policy/modules/apps/mozilla.te | 1 -
policy/modules/apps/mplayer.te | 1 -
policy/modules/apps/thunderbird.te | 1 -
policy/modules/apps/tvtime.te | 1 -
policy/modules/apps/wireshark.te | 1 -
policy/modules/services/razor.te | 1 -
policy/modules/services/spamassassin.te | 1 -
policy/modules/services/ssh.te | 1 -
policy/modules/services/xserver.te | 2 --
policy/modules/system/userdomain.if | 4 ++++
policy/modules/system/userdomain.te | 7 +++----
13 files changed, 7 insertions(+), 16 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index db570f6..f294491 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -59,7 +59,6 @@ ubac_constrained(evolution_exchange_orbit_tmp_t)
type evolution_home_t;
typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
-files_poly_member(evolution_home_t)
userdom_user_home_content(evolution_home_t)
type evolution_orbit_tmp_t;
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 4204eec..5bb9e30 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -15,7 +15,6 @@ ubac_constrained(gift_t)
type gift_home_t;
typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
-files_poly_member(gift_home_t)
userdom_user_home_content(gift_home_t)
type gift_tmpfs_t;
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 62631ec..ebcd681 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,7 +25,6 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index da32014..82c4a54 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,7 +32,6 @@ files_config_file(mplayer_etc_t)
type mplayer_home_t;
typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
-files_poly_member(mplayer_home_t)
userdom_user_home_content(mplayer_home_t)
type mplayer_tmpfs_t;
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index c4e581e..6f08115 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -15,7 +15,6 @@ ubac_constrained(thunderbird_t)
type thunderbird_home_t;
typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
-files_poly_member(thunderbird_home_t)
userdom_user_home_content(thunderbird_home_t)
type thunderbird_tmpfs_t;
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index acc7244..d736572 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -16,7 +16,6 @@ type tvtime_home_t alias tvtime_rw_t;
typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
userdom_user_home_content(tvtime_home_t)
-files_poly_member(tvtime_home_t)
type tvtime_tmp_t;
typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 3c43106..31bbf17 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,7 +15,6 @@ ubac_constrained(wireshark_t)
type wireshark_home_t;
typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
-files_poly_member(wireshark_home_t)
userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 7629cf8..e4ecbbd 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -14,7 +14,6 @@ files_config_file(razor_etc_t)
type razor_home_t;
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-files_poly_member(razor_home_t)
userdom_user_home_content(razor_home_t)
type razor_log_t;
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 438dab7..b6a8919 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -30,7 +30,6 @@ type spamassassin_home_t;
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
userdom_user_home_content(spamassassin_home_t)
-files_poly_member(spamassassin_home_t)
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..5d3b416 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -76,7 +76,6 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)
##############################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4566008..d2b2626 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -131,7 +131,6 @@ ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-files_poly_member(iceauth_home_t)
userdom_user_home_content(iceauth_home_t)
type xauth_t;
@@ -144,7 +143,6 @@ ubac_constrained(xauth_t)
type xauth_home_t;
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
-files_poly_member(xauth_home_t)
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c7c83c4..d5cf579 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1275,12 +1275,16 @@ template(`userdom_security_admin_template',`
#
interface(`userdom_user_home_content',`
gen_require(`
+ attribute user_home_type;
type user_home_t;
')
allow $1 user_home_t:filesystem associate;
files_type($1)
ubac_constrained($1)
+
+ files_poly_member($1)
+ typeattribute $1 user_home_type;
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 69b2e0f..11bba0d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -59,6 +59,9 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
+# Attributes for various classes of user content.
+attribute user_home_type
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -74,10 +77,8 @@ typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-files_poly_member(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
-ubac_constrained(user_home_t)
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
@@ -87,11 +88,9 @@ ubac_constrained(user_devpts_t)
type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
-userdom_user_home_content(user_tmp_t)
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
-userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
--
1.7.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/2b072828/attachment-0001.bin
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2010-07-08 15:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-08 15:30 [refpolicy] [ Simplify user content patch 1/7] user home content Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.