[refpolicy] [ Simplify user content patch 3/7] user_tmp

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [ Simplify user content patch 3/7] user_tmp_t
@ 2010-07-08 15:34 Dominick Grift
  0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2010-07-08 15:34 UTC (permalink / raw)
  To: refpolicy

Declared attribute user_tmp_type in the user domain.
Implemented userdom_user_tmp_content template which includes:
- attribute user_tmp_type
- files_tmp_file
- files_poly_member_tmp
Replaced user_tmp_t declaration to use userdom_user_tmp_content(userdomain, user_tmp_t)
Replaced user tmp content type declarations in various modules to use userdom_user_tmp_content()
TODO:
Remove policy that implicitly allows users to manage/relabel userdom user tmp content.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 f294491... 2542c34... M	policy/modules/apps/evolution.te
:100644 100644 ac4f509... cea5c8c... M	policy/modules/apps/games.te
:100644 100644 4bebd9d... de7eac9... M	policy/modules/apps/gnome.te
:100644 100644 4525c37... c6f1fe2... M	policy/modules/apps/gpg.te
:100644 100644 66beb80... 29c9f53... M	policy/modules/apps/irc.te
:100644 100644 726e853... dd0737c... M	policy/modules/apps/java.te
:100644 100644 690589e... 892057b... M	policy/modules/apps/podsleuth.te
:100644 100644 320df26... 41f7ef8... M	policy/modules/apps/screen.if
:100644 100644 8c65cc6... 8a33873... M	policy/modules/apps/screen.te
:100644 100644 d736572... 10d6692... M	policy/modules/apps/tvtime.te
:100644 100644 2df1343... 62960c0... M	policy/modules/apps/uml.te
:100644 100644 b540555... b74bf4d... M	policy/modules/apps/vmware.te
:100644 100644 8af45db... 2835bec... M	policy/modules/apps/wine.te
:100644 100644 31bbf17... ca29f80... M	policy/modules/apps/wireshark.te
:100644 100644 347d339... 162d103... M	policy/modules/system/userdomain.if
:100644 100644 11bba0d... e990ead... M	policy/modules/system/userdomain.te
 policy/modules/apps/evolution.te    |   15 +++++----------
 policy/modules/apps/games.te        |    3 +--
 policy/modules/apps/gnome.te        |    3 +--
 policy/modules/apps/gpg.te          |    6 ++----
 policy/modules/apps/irc.te          |    2 +-
 policy/modules/apps/java.te         |    1 +
 policy/modules/apps/podsleuth.te    |    3 +--
 policy/modules/apps/screen.if       |    9 ++-------
 policy/modules/apps/screen.te       |    5 +++--
 policy/modules/apps/tvtime.te       |    3 +--
 policy/modules/apps/uml.te          |    3 +--
 policy/modules/apps/vmware.te       |    3 +--
 policy/modules/apps/wine.te         |    3 +--
 policy/modules/apps/wireshark.te    |    3 +--
 policy/modules/system/userdomain.if |   29 +++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |    5 +++--
 16 files changed, 54 insertions(+), 42 deletions(-)

diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index f294491..2542c34 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t)
 type evolution_alarm_orbit_tmp_t;
 typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
 typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
-files_tmp_file(evolution_alarm_orbit_tmp_t)
-ubac_constrained(evolution_alarm_orbit_tmp_t)
+userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t)
 
 type evolution_exchange_t;
 type evolution_exchange_exec_t;
@@ -47,14 +46,12 @@ ubac_constrained(evolution_exchange_tmpfs_t)
 type evolution_exchange_tmp_t;
 typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
 typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
-files_tmp_file(evolution_exchange_tmp_t)
-ubac_constrained(evolution_exchange_tmp_t)
+userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t)
 
 type evolution_exchange_orbit_tmp_t;
 typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
 typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
-files_tmp_file(evolution_exchange_orbit_tmp_t)
-ubac_constrained(evolution_exchange_orbit_tmp_t)
+userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_orbit_tmp_t)
 
 type evolution_home_t;
 typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
@@ -64,8 +61,7 @@ userdom_user_home_content(evolution_home_t)
 type evolution_orbit_tmp_t;
 typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
 typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
-files_tmp_file(evolution_orbit_tmp_t)
-ubac_constrained(evolution_orbit_tmp_t)
+userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t)
 
 type evolution_server_t;
 type evolution_server_exec_t;
@@ -77,8 +73,7 @@ ubac_constrained(evolution_server_t)
 type evolution_server_orbit_tmp_t;
 typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
 typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
-files_tmp_file(evolution_server_orbit_tmp_t)
-ubac_constrained(evolution_server_orbit_tmp_t)
+userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
 
 type evolution_tmpfs_t;
 typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index ac4f509..cea5c8c 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t)
 type games_tmp_t;
 typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
 typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
-files_tmp_file(games_tmp_t)
-ubac_constrained(games_tmp_t)
+userdom_user_tmp_content(games_t, games_tmp_t)
 
 type games_tmpfs_t;
 typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 4bebd9d..de7eac9 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t)
 type gconf_tmp_t;
 typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
 typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
-files_tmp_file(gconf_tmp_t)
-ubac_constrained(gconf_tmp_t)
+userdom_user_tmp_content(gconfd_t, gconf_tmp_t)
 
 type gconfd_t, gnomedomain;
 type gconfd_exec_t;
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 4525c37..c6f1fe2 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t)
 type gpg_agent_tmp_t;
 typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
 typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
-files_tmp_file(gpg_agent_tmp_t)
-ubac_constrained(gpg_agent_tmp_t)
+userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t)
 
 type gpg_secret_t;
 typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
@@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t)
 ubac_constrained(gpg_pinentry_t)
 
 type gpg_pinentry_tmp_t;
-files_tmp_file(gpg_pinentry_tmp_t)
-ubac_constrained(gpg_pinentry_tmp_t)
+userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
 
 type gpg_pinentry_tmpfs_t;
 files_tmpfs_file(gpg_pinentry_tmpfs_t)
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..29c9f53 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t)
 type irc_tmp_t;
 typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
 typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+userdom_user_tmp_content(irc_t, irc_tmp_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 726e853..dd0737c 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -20,6 +20,7 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_
 typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
 role system_r types java_t;
 
+# userdom_user_tmp_content(): seems to cause problems here.
 type java_tmp_t;
 files_tmp_file(java_tmp_t)
 ubac_constrained(java_tmp_t)
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 690589e..892057b 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -15,8 +15,7 @@ files_type(podsleuth_cache_t)
 ubac_constrained(podsleuth_cache_t)
 
 type podsleuth_tmp_t;
-files_tmp_file(podsleuth_tmp_t)
-ubac_constrained(podsleuth_tmp_t)
+userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
 
 type podsleuth_tmpfs_t;
 files_tmpfs_file(podsleuth_tmpfs_t)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 320df26..41f7ef8 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -23,6 +23,7 @@
 #
 template(`screen_role_template',`
 	gen_require(`
+		attribute screen_domain;
 		type screen_exec_t, screen_tmp_t;
 		type screen_home_t, screen_var_run_t;
 	')
@@ -33,6 +34,7 @@ template(`screen_role_template',`
 	#
 
 	type $1_screen_t;
+	typeattribute $1_screen_t screen_domain;
 	application_domain($1_screen_t, screen_exec_t)
 	domain_interactive_fd($1_screen_t)
 	ubac_constrained($1_screen_t)
@@ -73,13 +75,6 @@ template(`screen_role_template',`
 	allow $3 $1_screen_t:process { signal sigchld };
 	allow $1_screen_t $3:process signal;
 
-	manage_dirs_pattern($3, screen_home_t, screen_home_t)
-	manage_files_pattern($3, screen_home_t, screen_home_t)
-	manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
-	relabel_dirs_pattern($3, screen_home_t, screen_home_t)
-	relabel_files_pattern($3, screen_home_t, screen_home_t)
-	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
-
 	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 8c65cc6..8a33873 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -5,6 +5,8 @@ policy_module(screen, 2.3.0)
 # Declarations
 #
 
+attribute screen_domain;
+
 type screen_exec_t;
 application_executable_file(screen_exec_t)
 
@@ -16,8 +18,7 @@ userdom_user_home_content(screen_home_t)
 type screen_tmp_t;
 typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
 typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
-files_tmp_file(screen_tmp_t)
-ubac_constrained(screen_tmp_t)
+userdom_user_tmp_content(screen_domain, screen_tmp_t)
 
 type screen_var_run_t;
 typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index d736572..10d6692 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t)
 type tvtime_tmp_t;
 typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
 typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
-files_tmp_file(tvtime_tmp_t)
-ubac_constrained(tvtime_tmp_t)
+userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
 
 type tvtime_tmpfs_t;
 typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 2df1343..62960c0 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t)
 type uml_tmp_t;
 typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
 typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
-files_tmp_file(uml_tmp_t)
-ubac_constrained(uml_tmp_t)
+userdom_user_tmp_content(uml_t, uml_tmp_t)
 
 type uml_tmpfs_t;
 typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index b540555..b74bf4d 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -50,8 +50,7 @@ files_type(vmware_sys_conf_t)
 type vmware_tmp_t;
 typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
 typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
-files_tmp_file(vmware_tmp_t)
-ubac_constrained(vmware_tmp_t)
+userdom_user_tmp_content(vmware_t, vmware_tmp_t)
 
 type vmware_tmpfs_t;
 typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..2835bec 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -12,8 +12,7 @@ ubac_constrained(wine_t)
 role system_r types wine_t;
 
 type wine_tmp_t;
-files_tmp_file(wine_tmp_t)
-ubac_constrained(wine_tmp_t)
+userdom_user_tmp_content(wine_t, wine_tmp_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 31bbf17..ca29f80 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t)
 type wireshark_tmp_t;
 typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
 typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
-files_tmp_file(wireshark_tmp_t)
-ubac_constrained(wireshark_tmp_t)
+userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
 
 type wireshark_tmpfs_t;
 typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 347d339..162d103 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1291,6 +1291,35 @@ interface(`userdom_user_home_content',`
 
 ########################################
 ## <summary>
+##	Make the specified type usable user
+##	temporary content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain using the user temporary content.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Type of the content to be used as
+##	user temporary content.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_tmp_content',`
+	gen_require(`
+		attribute user_tmp_type;
+	')
+
+	typeattribute $2 user_tmp_type;
+
+	files_tmp_file($2)
+	files_poly_member_tmp($1, $2)
+	ubac_constrained($2)
+')
+
+########################################
+## <summary>
 ##	Allow domain to attach to TUN devices created by administrative users.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 11bba0d..e990ead 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -60,7 +60,8 @@ attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
 
 # Attributes for various classes of user content.
-attribute user_home_type
+attribute user_home_type;
+attribute user_tmp_type;
 
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
@@ -87,7 +88,7 @@ ubac_constrained(user_devpts_t)
 
 type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
 typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
-files_tmp_file(user_tmp_t)
+userdom_user_tmp_content(userdomain, user_tmp_t)
 
 type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
 files_tmpfs_file(user_tmpfs_t)
-- 
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/1201955b/attachment.bin 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2010-07-08 15:34 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-08 15:34 [refpolicy] [ Simplify user content patch 3/7] user_tmp_t Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.