From mboxrd@z Thu Jan  1 00:00:00 1970
From: domg472@gmail.com (Dominick Grift)
Date: Thu, 8 Jul 2010 17:30:30 +0200
Subject: [refpolicy] [ Simplify user content patch 1/7] user home content.
Message-ID: <20100708153025.GA6652@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Declare attribute user_home_type for userdom_user_home_content.
Modify userdom_user_home_content() to include:
- files_poly_member
- attribute user_home_type
Remove redundant files_poly_member() calls in the various modules.
Remove userdom_user_home_content calls for user_tmp_t, user_tmpfs_t: its not userdom_user_home_content but userdom_user_tmp_content and userdom_user_tmpfs_content respectively.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 db570f6... f294491... M	policy/modules/apps/evolution.te
:100644 100644 4204eec... 5bb9e30... M	policy/modules/apps/gift.te
:100644 100644 62631ec... ebcd681... M	policy/modules/apps/mozilla.te
:100644 100644 da32014... 82c4a54... M	policy/modules/apps/mplayer.te
:100644 100644 c4e581e... 6f08115... M	policy/modules/apps/thunderbird.te
:100644 100644 acc7244... d736572... M	policy/modules/apps/tvtime.te
:100644 100644 3c43106... 31bbf17... M	policy/modules/apps/wireshark.te
:100644 100644 7629cf8... e4ecbbd... M	policy/modules/services/razor.te
:100644 100644 438dab7... b6a8919... M	policy/modules/services/spamassassin.te
:100644 100644 2dad3c8... 5d3b416... M	policy/modules/services/ssh.te
:100644 100644 4566008... d2b2626... M	policy/modules/services/xserver.te
:100644 100644 c7c83c4... d5cf579... M	policy/modules/system/userdomain.if
:100644 100644 69b2e0f... 11bba0d... M	policy/modules/system/userdomain.te
 policy/modules/apps/evolution.te        |    1 -
 policy/modules/apps/gift.te             |    1 -
 policy/modules/apps/mozilla.te          |    1 -
 policy/modules/apps/mplayer.te          |    1 -
 policy/modules/apps/thunderbird.te      |    1 -
 policy/modules/apps/tvtime.te           |    1 -
 policy/modules/apps/wireshark.te        |    1 -
 policy/modules/services/razor.te        |    1 -
 policy/modules/services/spamassassin.te |    1 -
 policy/modules/services/ssh.te          |    1 -
 policy/modules/services/xserver.te      |    2 --
 policy/modules/system/userdomain.if     |    4 ++++
 policy/modules/system/userdomain.te     |    7 +++----
 13 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index db570f6..f294491 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -59,7 +59,6 @@ ubac_constrained(evolution_exchange_orbit_tmp_t)
 type evolution_home_t;
 typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
 typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
-files_poly_member(evolution_home_t)
 userdom_user_home_content(evolution_home_t)
 
 type evolution_orbit_tmp_t;
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 4204eec..5bb9e30 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -15,7 +15,6 @@ ubac_constrained(gift_t)
 type gift_home_t;
 typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
 typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
-files_poly_member(gift_home_t)
 userdom_user_home_content(gift_home_t)
 
 type gift_tmpfs_t;
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 62631ec..ebcd681 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,7 +25,6 @@ files_config_file(mozilla_conf_t)
 type mozilla_home_t;
 typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
 typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-files_poly_member(mozilla_home_t)
 userdom_user_home_content(mozilla_home_t)
 
 type mozilla_tmpfs_t;
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index da32014..82c4a54 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,7 +32,6 @@ files_config_file(mplayer_etc_t)
 type mplayer_home_t;
 typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
 typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
-files_poly_member(mplayer_home_t)
 userdom_user_home_content(mplayer_home_t)
 
 type mplayer_tmpfs_t;
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index c4e581e..6f08115 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -15,7 +15,6 @@ ubac_constrained(thunderbird_t)
 type thunderbird_home_t;
 typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
 typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
-files_poly_member(thunderbird_home_t)
 userdom_user_home_content(thunderbird_home_t)
 
 type thunderbird_tmpfs_t;
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index acc7244..d736572 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -16,7 +16,6 @@ type tvtime_home_t alias tvtime_rw_t;
 typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
 typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
 userdom_user_home_content(tvtime_home_t)
-files_poly_member(tvtime_home_t)
 
 type tvtime_tmp_t;
 typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 3c43106..31bbf17 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,7 +15,6 @@ ubac_constrained(wireshark_t)
 type wireshark_home_t;
 typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
 typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
-files_poly_member(wireshark_home_t)
 userdom_user_home_content(wireshark_home_t)
 
 type wireshark_tmp_t;
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 7629cf8..e4ecbbd 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -14,7 +14,6 @@ files_config_file(razor_etc_t)
 type razor_home_t;
 typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
 typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-files_poly_member(razor_home_t)
 userdom_user_home_content(razor_home_t)
 
 type razor_log_t;
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 438dab7..b6a8919 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -30,7 +30,6 @@ type spamassassin_home_t;
 typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
 typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
 userdom_user_home_content(spamassassin_home_t)
-files_poly_member(spamassassin_home_t)
 
 type spamassassin_tmp_t;
 typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..5d3b416 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -76,7 +76,6 @@ ubac_constrained(ssh_tmpfs_t)
 type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
 userdom_user_home_content(ssh_home_t)
 
 ##############################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4566008..d2b2626 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -131,7 +131,6 @@ ubac_constrained(iceauth_t)
 type iceauth_home_t;
 typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
 typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-files_poly_member(iceauth_home_t)
 userdom_user_home_content(iceauth_home_t)
 
 type xauth_t;
@@ -144,7 +143,6 @@ ubac_constrained(xauth_t)
 type xauth_home_t;
 typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
 typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
-files_poly_member(xauth_home_t)
 userdom_user_home_content(xauth_home_t)
 
 type xauth_tmp_t;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c7c83c4..d5cf579 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1275,12 +1275,16 @@ template(`userdom_security_admin_template',`
 #
 interface(`userdom_user_home_content',`
 	gen_require(`
+		attribute user_home_type;
 		type user_home_t;
 	')
 
 	allow $1 user_home_t:filesystem associate;
 	files_type($1)
 	ubac_constrained($1)
+
+	files_poly_member($1)
+	typeattribute $1 user_home_type;
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 69b2e0f..11bba0d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -59,6 +59,9 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
 
+# Attributes for various classes of user content.
+attribute user_home_type
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
@@ -74,10 +77,8 @@ typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content
 userdom_user_home_content(user_home_t)
 fs_associate_tmpfs(user_home_t)
 files_associate_tmp(user_home_t)
-files_poly_member(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
-ubac_constrained(user_home_t)
 
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
@@ -87,11 +88,9 @@ ubac_constrained(user_devpts_t)
 type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
 typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
 files_tmp_file(user_tmp_t)
-userdom_user_home_content(user_tmp_t)
 
 type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
 files_tmpfs_file(user_tmpfs_t)
-userdom_user_home_content(user_tmpfs_t)
 
 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
 dev_node(user_tty_device_t)
-- 
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/2b072828/attachment-0001.bin