From mboxrd@z Thu Jan 1 00:00:00 1970 From: domg472@gmail.com (Dominick Grift) Date: Thu, 8 Jul 2010 17:34:49 +0200 Subject: [refpolicy] [ Simplify user content patch 3/7] user_tmp_t Message-ID: <20100708153443.GA6743@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Declared attribute user_tmp_type in the user domain. Implemented userdom_user_tmp_content template which includes: - attribute user_tmp_type - files_tmp_file - files_poly_member_tmp Replaced user_tmp_t declaration to use userdom_user_tmp_content(userdomain, user_tmp_t) Replaced user tmp content type declarations in various modules to use userdom_user_tmp_content() TODO: Remove policy that implicitly allows users to manage/relabel userdom user tmp content. Signed-off-by: Dominick Grift --- :100644 100644 f294491... 2542c34... M policy/modules/apps/evolution.te :100644 100644 ac4f509... cea5c8c... M policy/modules/apps/games.te :100644 100644 4bebd9d... de7eac9... M policy/modules/apps/gnome.te :100644 100644 4525c37... c6f1fe2... M policy/modules/apps/gpg.te :100644 100644 66beb80... 29c9f53... M policy/modules/apps/irc.te :100644 100644 726e853... dd0737c... M policy/modules/apps/java.te :100644 100644 690589e... 892057b... M policy/modules/apps/podsleuth.te :100644 100644 320df26... 41f7ef8... M policy/modules/apps/screen.if :100644 100644 8c65cc6... 8a33873... M policy/modules/apps/screen.te :100644 100644 d736572... 10d6692... M policy/modules/apps/tvtime.te :100644 100644 2df1343... 62960c0... M policy/modules/apps/uml.te :100644 100644 b540555... b74bf4d... M policy/modules/apps/vmware.te :100644 100644 8af45db... 2835bec... M policy/modules/apps/wine.te :100644 100644 31bbf17... ca29f80... M policy/modules/apps/wireshark.te :100644 100644 347d339... 162d103... M policy/modules/system/userdomain.if :100644 100644 11bba0d... e990ead... M policy/modules/system/userdomain.te policy/modules/apps/evolution.te | 15 +++++---------- policy/modules/apps/games.te | 3 +-- policy/modules/apps/gnome.te | 3 +-- policy/modules/apps/gpg.te | 6 ++---- policy/modules/apps/irc.te | 2 +- policy/modules/apps/java.te | 1 + policy/modules/apps/podsleuth.te | 3 +-- policy/modules/apps/screen.if | 9 ++------- policy/modules/apps/screen.te | 5 +++-- policy/modules/apps/tvtime.te | 3 +-- policy/modules/apps/uml.te | 3 +-- policy/modules/apps/vmware.te | 3 +-- policy/modules/apps/wine.te | 3 +-- policy/modules/apps/wireshark.te | 3 +-- policy/modules/system/userdomain.if | 29 +++++++++++++++++++++++++++++ policy/modules/system/userdomain.te | 5 +++-- 16 files changed, 54 insertions(+), 42 deletions(-) diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index f294491..2542c34 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t) type evolution_alarm_orbit_tmp_t; typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; -files_tmp_file(evolution_alarm_orbit_tmp_t) -ubac_constrained(evolution_alarm_orbit_tmp_t) +userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t) type evolution_exchange_t; type evolution_exchange_exec_t; @@ -47,14 +46,12 @@ ubac_constrained(evolution_exchange_tmpfs_t) type evolution_exchange_tmp_t; typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; -files_tmp_file(evolution_exchange_tmp_t) -ubac_constrained(evolution_exchange_tmp_t) +userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t) type evolution_exchange_orbit_tmp_t; typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; -files_tmp_file(evolution_exchange_orbit_tmp_t) -ubac_constrained(evolution_exchange_orbit_tmp_t) +userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_orbit_tmp_t) type evolution_home_t; typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; @@ -64,8 +61,7 @@ userdom_user_home_content(evolution_home_t) type evolution_orbit_tmp_t; typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; -files_tmp_file(evolution_orbit_tmp_t) -ubac_constrained(evolution_orbit_tmp_t) +userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t) type evolution_server_t; type evolution_server_exec_t; @@ -77,8 +73,7 @@ ubac_constrained(evolution_server_t) type evolution_server_orbit_tmp_t; typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; -files_tmp_file(evolution_server_orbit_tmp_t) -ubac_constrained(evolution_server_orbit_tmp_t) +userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t) type evolution_tmpfs_t; typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index ac4f509..cea5c8c 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t) type games_tmp_t; typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; -files_tmp_file(games_tmp_t) -ubac_constrained(games_tmp_t) +userdom_user_tmp_content(games_t, games_tmp_t) type games_tmpfs_t; typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 4bebd9d..de7eac9 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t) type gconf_tmp_t; typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; -files_tmp_file(gconf_tmp_t) -ubac_constrained(gconf_tmp_t) +userdom_user_tmp_content(gconfd_t, gconf_tmp_t) type gconfd_t, gnomedomain; type gconfd_exec_t; diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 4525c37..c6f1fe2 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t) type gpg_agent_tmp_t; typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; -files_tmp_file(gpg_agent_tmp_t) -ubac_constrained(gpg_agent_tmp_t) +userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t) type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; @@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) type gpg_pinentry_tmp_t; -files_tmp_file(gpg_pinentry_tmp_t) -ubac_constrained(gpg_pinentry_tmp_t) +userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t) type gpg_pinentry_tmpfs_t; files_tmpfs_file(gpg_pinentry_tmpfs_t) diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te index 66beb80..29c9f53 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t) type irc_tmp_t; typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; -userdom_user_home_content(irc_tmp_t) +userdom_user_tmp_content(irc_t, irc_tmp_t) ######################################## # diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 726e853..dd0737c 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -20,6 +20,7 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_ typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; role system_r types java_t; +# userdom_user_tmp_content(): seems to cause problems here. type java_tmp_t; files_tmp_file(java_tmp_t) ubac_constrained(java_tmp_t) diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te index 690589e..892057b 100644 --- a/policy/modules/apps/podsleuth.te +++ b/policy/modules/apps/podsleuth.te @@ -15,8 +15,7 @@ files_type(podsleuth_cache_t) ubac_constrained(podsleuth_cache_t) type podsleuth_tmp_t; -files_tmp_file(podsleuth_tmp_t) -ubac_constrained(podsleuth_tmp_t) +userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t) type podsleuth_tmpfs_t; files_tmpfs_file(podsleuth_tmpfs_t) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if index 320df26..41f7ef8 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -23,6 +23,7 @@ # template(`screen_role_template',` gen_require(` + attribute screen_domain; type screen_exec_t, screen_tmp_t; type screen_home_t, screen_var_run_t; ') @@ -33,6 +34,7 @@ template(`screen_role_template',` # type $1_screen_t; + typeattribute $1_screen_t screen_domain; application_domain($1_screen_t, screen_exec_t) domain_interactive_fd($1_screen_t) ubac_constrained($1_screen_t) @@ -73,13 +75,6 @@ template(`screen_role_template',` allow $3 $1_screen_t:process { signal sigchld }; allow $1_screen_t $3:process signal; - manage_dirs_pattern($3, screen_home_t, screen_home_t) - manage_files_pattern($3, screen_home_t, screen_home_t) - manage_lnk_files_pattern($3, screen_home_t, screen_home_t) - relabel_dirs_pattern($3, screen_home_t, screen_home_t) - relabel_files_pattern($3, screen_home_t, screen_home_t) - relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) - manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) manage_files_pattern($3, screen_var_run_t, screen_var_run_t) manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index 8c65cc6..8a33873 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -5,6 +5,8 @@ policy_module(screen, 2.3.0) # Declarations # +attribute screen_domain; + type screen_exec_t; application_executable_file(screen_exec_t) @@ -16,8 +18,7 @@ userdom_user_home_content(screen_home_t) type screen_tmp_t; typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; -files_tmp_file(screen_tmp_t) -ubac_constrained(screen_tmp_t) +userdom_user_tmp_content(screen_domain, screen_tmp_t) type screen_var_run_t; typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index d736572..10d6692 100644 --- a/policy/modules/apps/tvtime.te +++ b/policy/modules/apps/tvtime.te @@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t) type tvtime_tmp_t; typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; -files_tmp_file(tvtime_tmp_t) -ubac_constrained(tvtime_tmp_t) +userdom_user_tmp_content(tvtime_t, tvtime_tmp_t) type tvtime_tmpfs_t; typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index 2df1343..62960c0 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t) type uml_tmp_t; typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; -files_tmp_file(uml_tmp_t) -ubac_constrained(uml_tmp_t) +userdom_user_tmp_content(uml_t, uml_tmp_t) type uml_tmpfs_t; typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index b540555..b74bf4d 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -50,8 +50,7 @@ files_type(vmware_sys_conf_t) type vmware_tmp_t; typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; -files_tmp_file(vmware_tmp_t) -ubac_constrained(vmware_tmp_t) +userdom_user_tmp_content(vmware_t, vmware_tmp_t) type vmware_tmpfs_t; typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 8af45db..2835bec 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -12,8 +12,7 @@ ubac_constrained(wine_t) role system_r types wine_t; type wine_tmp_t; -files_tmp_file(wine_tmp_t) -ubac_constrained(wine_tmp_t) +userdom_user_tmp_content(wine_t, wine_tmp_t) ######################################## # diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index 31bbf17..ca29f80 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t) type wireshark_tmp_t; typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; -files_tmp_file(wireshark_tmp_t) -ubac_constrained(wireshark_tmp_t) +userdom_user_tmp_content(wireshark_t, wireshark_tmp_t) type wireshark_tmpfs_t; typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 347d339..162d103 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1291,6 +1291,35 @@ interface(`userdom_user_home_content',` ######################################## ## +## Make the specified type usable user +## temporary content. +## +## +## +## Domain using the user temporary content. +## +## +## +## +## Type of the content to be used as +## user temporary content. +## +## +# +interface(`userdom_user_tmp_content',` + gen_require(` + attribute user_tmp_type; + ') + + typeattribute $2 user_tmp_type; + + files_tmp_file($2) + files_poly_member_tmp($1, $2) + ubac_constrained($2) +') + +######################################## +## ## Allow domain to attach to TUN devices created by administrative users. ## ## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 11bba0d..e990ead 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -60,7 +60,8 @@ attribute untrusted_content_type; attribute untrusted_content_tmp_type; # Attributes for various classes of user content. -attribute user_home_type +attribute user_home_type; +attribute user_tmp_type; type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) @@ -87,7 +88,7 @@ ubac_constrained(user_devpts_t) type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; -files_tmp_file(user_tmp_t) +userdom_user_tmp_content(userdomain, user_tmp_t) type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; files_tmpfs_file(user_tmpfs_t) -- 1.7.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/1201955b/attachment.bin