From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ Simplify user content patch 3/7] user_tmp_t
Date: Thu, 8 Jul 2010 17:34:49 +0200 [thread overview]
Message-ID: <20100708153443.GA6743@localhost.localdomain> (raw)
Declared attribute user_tmp_type in the user domain.
Implemented userdom_user_tmp_content template which includes:
- attribute user_tmp_type
- files_tmp_file
- files_poly_member_tmp
Replaced user_tmp_t declaration to use userdom_user_tmp_content(userdomain, user_tmp_t)
Replaced user tmp content type declarations in various modules to use userdom_user_tmp_content()
TODO:
Remove policy that implicitly allows users to manage/relabel userdom user tmp content.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 f294491... 2542c34... M policy/modules/apps/evolution.te
:100644 100644 ac4f509... cea5c8c... M policy/modules/apps/games.te
:100644 100644 4bebd9d... de7eac9... M policy/modules/apps/gnome.te
:100644 100644 4525c37... c6f1fe2... M policy/modules/apps/gpg.te
:100644 100644 66beb80... 29c9f53... M policy/modules/apps/irc.te
:100644 100644 726e853... dd0737c... M policy/modules/apps/java.te
:100644 100644 690589e... 892057b... M policy/modules/apps/podsleuth.te
:100644 100644 320df26... 41f7ef8... M policy/modules/apps/screen.if
:100644 100644 8c65cc6... 8a33873... M policy/modules/apps/screen.te
:100644 100644 d736572... 10d6692... M policy/modules/apps/tvtime.te
:100644 100644 2df1343... 62960c0... M policy/modules/apps/uml.te
:100644 100644 b540555... b74bf4d... M policy/modules/apps/vmware.te
:100644 100644 8af45db... 2835bec... M policy/modules/apps/wine.te
:100644 100644 31bbf17... ca29f80... M policy/modules/apps/wireshark.te
:100644 100644 347d339... 162d103... M policy/modules/system/userdomain.if
:100644 100644 11bba0d... e990ead... M policy/modules/system/userdomain.te
policy/modules/apps/evolution.te | 15 +++++----------
policy/modules/apps/games.te | 3 +--
policy/modules/apps/gnome.te | 3 +--
policy/modules/apps/gpg.te | 6 ++----
policy/modules/apps/irc.te | 2 +-
policy/modules/apps/java.te | 1 +
policy/modules/apps/podsleuth.te | 3 +--
policy/modules/apps/screen.if | 9 ++-------
policy/modules/apps/screen.te | 5 +++--
policy/modules/apps/tvtime.te | 3 +--
policy/modules/apps/uml.te | 3 +--
policy/modules/apps/vmware.te | 3 +--
policy/modules/apps/wine.te | 3 +--
policy/modules/apps/wireshark.te | 3 +--
policy/modules/system/userdomain.if | 29 +++++++++++++++++++++++++++++
policy/modules/system/userdomain.te | 5 +++--
16 files changed, 54 insertions(+), 42 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index f294491..2542c34 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t)
type evolution_alarm_orbit_tmp_t;
typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
-files_tmp_file(evolution_alarm_orbit_tmp_t)
-ubac_constrained(evolution_alarm_orbit_tmp_t)
+userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t)
type evolution_exchange_t;
type evolution_exchange_exec_t;
@@ -47,14 +46,12 @@ ubac_constrained(evolution_exchange_tmpfs_t)
type evolution_exchange_tmp_t;
typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
-files_tmp_file(evolution_exchange_tmp_t)
-ubac_constrained(evolution_exchange_tmp_t)
+userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t)
type evolution_exchange_orbit_tmp_t;
typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
-files_tmp_file(evolution_exchange_orbit_tmp_t)
-ubac_constrained(evolution_exchange_orbit_tmp_t)
+userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_orbit_tmp_t)
type evolution_home_t;
typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
@@ -64,8 +61,7 @@ userdom_user_home_content(evolution_home_t)
type evolution_orbit_tmp_t;
typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
-files_tmp_file(evolution_orbit_tmp_t)
-ubac_constrained(evolution_orbit_tmp_t)
+userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t)
type evolution_server_t;
type evolution_server_exec_t;
@@ -77,8 +73,7 @@ ubac_constrained(evolution_server_t)
type evolution_server_orbit_tmp_t;
typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
-files_tmp_file(evolution_server_orbit_tmp_t)
-ubac_constrained(evolution_server_orbit_tmp_t)
+userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
type evolution_tmpfs_t;
typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index ac4f509..cea5c8c 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t)
type games_tmp_t;
typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
-files_tmp_file(games_tmp_t)
-ubac_constrained(games_tmp_t)
+userdom_user_tmp_content(games_t, games_tmp_t)
type games_tmpfs_t;
typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 4bebd9d..de7eac9 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t)
type gconf_tmp_t;
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
-files_tmp_file(gconf_tmp_t)
-ubac_constrained(gconf_tmp_t)
+userdom_user_tmp_content(gconfd_t, gconf_tmp_t)
type gconfd_t, gnomedomain;
type gconfd_exec_t;
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 4525c37..c6f1fe2 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t)
type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
-files_tmp_file(gpg_agent_tmp_t)
-ubac_constrained(gpg_agent_tmp_t)
+userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t)
type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
@@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
type gpg_pinentry_tmp_t;
-files_tmp_file(gpg_pinentry_tmp_t)
-ubac_constrained(gpg_pinentry_tmp_t)
+userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..29c9f53 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+userdom_user_tmp_content(irc_t, irc_tmp_t)
########################################
#
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 726e853..dd0737c 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -20,6 +20,7 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role system_r types java_t;
+# userdom_user_tmp_content(): seems to cause problems here.
type java_tmp_t;
files_tmp_file(java_tmp_t)
ubac_constrained(java_tmp_t)
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 690589e..892057b 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -15,8 +15,7 @@ files_type(podsleuth_cache_t)
ubac_constrained(podsleuth_cache_t)
type podsleuth_tmp_t;
-files_tmp_file(podsleuth_tmp_t)
-ubac_constrained(podsleuth_tmp_t)
+userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
type podsleuth_tmpfs_t;
files_tmpfs_file(podsleuth_tmpfs_t)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 320df26..41f7ef8 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -23,6 +23,7 @@
#
template(`screen_role_template',`
gen_require(`
+ attribute screen_domain;
type screen_exec_t, screen_tmp_t;
type screen_home_t, screen_var_run_t;
')
@@ -33,6 +34,7 @@ template(`screen_role_template',`
#
type $1_screen_t;
+ typeattribute $1_screen_t screen_domain;
application_domain($1_screen_t, screen_exec_t)
domain_interactive_fd($1_screen_t)
ubac_constrained($1_screen_t)
@@ -73,13 +75,6 @@ template(`screen_role_template',`
allow $3 $1_screen_t:process { signal sigchld };
allow $1_screen_t $3:process signal;
- manage_dirs_pattern($3, screen_home_t, screen_home_t)
- manage_files_pattern($3, screen_home_t, screen_home_t)
- manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
- relabel_dirs_pattern($3, screen_home_t, screen_home_t)
- relabel_files_pattern($3, screen_home_t, screen_home_t)
- relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
-
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 8c65cc6..8a33873 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -5,6 +5,8 @@ policy_module(screen, 2.3.0)
# Declarations
#
+attribute screen_domain;
+
type screen_exec_t;
application_executable_file(screen_exec_t)
@@ -16,8 +18,7 @@ userdom_user_home_content(screen_home_t)
type screen_tmp_t;
typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
-files_tmp_file(screen_tmp_t)
-ubac_constrained(screen_tmp_t)
+userdom_user_tmp_content(screen_domain, screen_tmp_t)
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index d736572..10d6692 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t)
type tvtime_tmp_t;
typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
-files_tmp_file(tvtime_tmp_t)
-ubac_constrained(tvtime_tmp_t)
+userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
type tvtime_tmpfs_t;
typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 2df1343..62960c0 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t)
type uml_tmp_t;
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
-files_tmp_file(uml_tmp_t)
-ubac_constrained(uml_tmp_t)
+userdom_user_tmp_content(uml_t, uml_tmp_t)
type uml_tmpfs_t;
typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index b540555..b74bf4d 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -50,8 +50,7 @@ files_type(vmware_sys_conf_t)
type vmware_tmp_t;
typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
-files_tmp_file(vmware_tmp_t)
-ubac_constrained(vmware_tmp_t)
+userdom_user_tmp_content(vmware_t, vmware_tmp_t)
type vmware_tmpfs_t;
typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..2835bec 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -12,8 +12,7 @@ ubac_constrained(wine_t)
role system_r types wine_t;
type wine_tmp_t;
-files_tmp_file(wine_tmp_t)
-ubac_constrained(wine_tmp_t)
+userdom_user_tmp_content(wine_t, wine_tmp_t)
########################################
#
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 31bbf17..ca29f80 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
-files_tmp_file(wireshark_tmp_t)
-ubac_constrained(wireshark_tmp_t)
+userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
type wireshark_tmpfs_t;
typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 347d339..162d103 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1291,6 +1291,35 @@ interface(`userdom_user_home_content',`
########################################
## <summary>
+## Make the specified type usable user
+## temporary content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain using the user temporary content.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Type of the content to be used as
+## user temporary content.
+## </summary>
+## </param>
+#
+interface(`userdom_user_tmp_content',`
+ gen_require(`
+ attribute user_tmp_type;
+ ')
+
+ typeattribute $2 user_tmp_type;
+
+ files_tmp_file($2)
+ files_poly_member_tmp($1, $2)
+ ubac_constrained($2)
+')
+
+########################################
+## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 11bba0d..e990ead 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -60,7 +60,8 @@ attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
# Attributes for various classes of user content.
-attribute user_home_type
+attribute user_home_type;
+attribute user_tmp_type;
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
@@ -87,7 +88,7 @@ ubac_constrained(user_devpts_t)
type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
-files_tmp_file(user_tmp_t)
+userdom_user_tmp_content(userdomain, user_tmp_t)
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
--
1.7.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/1201955b/attachment.bin
reply other threads:[~2010-07-08 15:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100708153443.GA6743@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.