From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ userdom_user_tmp_content patch 1/1] Create userdom_user_tmp_content, and replace existing user tmp content type declarations by it.
Date: Fri, 9 Jul 2010 16:34:58 +0200 [thread overview]
Message-ID: <20100709143453.GA9716@localhost.localdomain> (raw)
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 f294491... b1aeb7c... M policy/modules/apps/evolution.te
:100644 100644 ac4f509... cea5c8c... M policy/modules/apps/games.te
:100644 100644 4bebd9d... de7eac9... M policy/modules/apps/gnome.te
:100644 100644 4525c37... c6f1fe2... M policy/modules/apps/gpg.te
:100644 100644 66beb80... 29c9f53... M policy/modules/apps/irc.te
:100644 100644 726e853... 143a522... M policy/modules/apps/java.te
:100644 100644 ebcd681... 3fb62e4... M policy/modules/apps/mozilla.te
:100644 100644 690589e... 892057b... M policy/modules/apps/podsleuth.te
:100644 100644 320df26... 55e29cb... M policy/modules/apps/screen.if
:100644 100644 8c65cc6... a92649b... M policy/modules/apps/screen.te
:100644 100644 d736572... 10d6692... M policy/modules/apps/tvtime.te
:100644 100644 2df1343... 62960c0... M policy/modules/apps/uml.te
:100644 100644 1f803bb... 5bc77b4... M policy/modules/apps/vmware.te
:100644 100644 8af45db... 2835bec... M policy/modules/apps/wine.te
:100644 100644 31bbf17... ca29f80... M policy/modules/apps/wireshark.te
:100644 100644 215b86b... 1d6ddf2... M policy/modules/services/bluetooth.te
:100644 100644 44caccc... 80c88c1... M policy/modules/services/cron.if
:100644 100644 d76131b... 054d8b3... M policy/modules/services/dbus.if
:100644 100644 b738e94... 319e41e... M policy/modules/services/dbus.te
:100644 100644 93c14ca... a2c91f2... M policy/modules/services/lpd.te
:100644 100644 c57356a... 9d3ef86... M policy/modules/services/mta.if
:100644 100644 64268e4... b1111b2... M policy/modules/services/mta.te
:100644 100644 cd683f9... 2b30c50... M policy/modules/services/pyzor.te
:100644 100644 e4ecbbd... ab30865... M policy/modules/services/razor.te
:100644 100644 b6a8919... 6847a9b... M policy/modules/services/spamassassin.te
:100644 100644 567592d... ef3f32d... M policy/modules/services/ssh.if
:100644 100644 2dad3c8... 512834a... M policy/modules/services/ssh.te
:100644 100644 d2b2626... f51b828... M policy/modules/services/xserver.te
:100644 100644 a3135e6... 7d83ec3... M policy/modules/system/userdomain.if
:100644 100644 69b2e0f... 5dcefd4... M policy/modules/system/userdomain.te
policy/modules/apps/evolution.te | 13 +++++--------
policy/modules/apps/games.te | 3 +--
policy/modules/apps/gnome.te | 3 +--
policy/modules/apps/gpg.te | 6 ++----
policy/modules/apps/irc.te | 2 +-
policy/modules/apps/java.te | 3 +--
policy/modules/apps/mozilla.te | 3 +--
policy/modules/apps/podsleuth.te | 3 +--
policy/modules/apps/screen.if | 2 ++
policy/modules/apps/screen.te | 2 --
policy/modules/apps/tvtime.te | 3 +--
policy/modules/apps/uml.te | 3 +--
policy/modules/apps/vmware.te | 7 +++----
policy/modules/apps/wine.te | 3 +--
policy/modules/apps/wireshark.te | 3 +--
policy/modules/services/bluetooth.te | 3 +--
policy/modules/services/cron.if | 2 +-
policy/modules/services/dbus.if | 2 ++
policy/modules/services/dbus.te | 2 --
policy/modules/services/lpd.te | 3 +--
policy/modules/services/mta.if | 3 ++-
policy/modules/services/mta.te | 2 --
policy/modules/services/pyzor.te | 3 +--
policy/modules/services/razor.te | 3 +--
policy/modules/services/spamassassin.te | 6 ++----
policy/modules/services/ssh.if | 2 ++
policy/modules/services/ssh.te | 2 --
policy/modules/services/xserver.te | 6 ++----
policy/modules/system/userdomain.if | 24 ++++++++++++++++++++++++
policy/modules/system/userdomain.te | 1 +
30 files changed, 62 insertions(+), 61 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index f294491..b1aeb7c 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t)
type evolution_alarm_orbit_tmp_t;
typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
-files_tmp_file(evolution_alarm_orbit_tmp_t)
-ubac_constrained(evolution_alarm_orbit_tmp_t)
+userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t)
type evolution_exchange_t;
type evolution_exchange_exec_t;
@@ -47,9 +46,9 @@ ubac_constrained(evolution_exchange_tmpfs_t)
type evolution_exchange_tmp_t;
typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
-files_tmp_file(evolution_exchange_tmp_t)
-ubac_constrained(evolution_exchange_tmp_t)
+userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t)
+# Cannot have two types of the same domain be a files_poly_member_tmp()
type evolution_exchange_orbit_tmp_t;
typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
@@ -64,8 +63,7 @@ userdom_user_home_content(evolution_home_t)
type evolution_orbit_tmp_t;
typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
-files_tmp_file(evolution_orbit_tmp_t)
-ubac_constrained(evolution_orbit_tmp_t)
+userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t)
type evolution_server_t;
type evolution_server_exec_t;
@@ -77,8 +75,7 @@ ubac_constrained(evolution_server_t)
type evolution_server_orbit_tmp_t;
typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
-files_tmp_file(evolution_server_orbit_tmp_t)
-ubac_constrained(evolution_server_orbit_tmp_t)
+userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
type evolution_tmpfs_t;
typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index ac4f509..cea5c8c 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t)
type games_tmp_t;
typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
-files_tmp_file(games_tmp_t)
-ubac_constrained(games_tmp_t)
+userdom_user_tmp_content(games_t, games_tmp_t)
type games_tmpfs_t;
typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 4bebd9d..de7eac9 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t)
type gconf_tmp_t;
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
-files_tmp_file(gconf_tmp_t)
-ubac_constrained(gconf_tmp_t)
+userdom_user_tmp_content(gconfd_t, gconf_tmp_t)
type gconfd_t, gnomedomain;
type gconfd_exec_t;
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 4525c37..c6f1fe2 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t)
type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
-files_tmp_file(gpg_agent_tmp_t)
-ubac_constrained(gpg_agent_tmp_t)
+userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t)
type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
@@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
type gpg_pinentry_tmp_t;
-files_tmp_file(gpg_pinentry_tmp_t)
-ubac_constrained(gpg_pinentry_tmp_t)
+userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..29c9f53 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+userdom_user_tmp_content(irc_t, irc_tmp_t)
########################################
#
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 726e853..143a522 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -21,10 +21,9 @@ typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role system_r types java_t;
type java_tmp_t;
-files_tmp_file(java_tmp_t)
-ubac_constrained(java_tmp_t)
typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+userdom_user_tmp_content(java_t, java_tmp_t)
type java_tmpfs_t;
ubac_constrained(java_tmpfs_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index ebcd681..3fb62e4 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -30,8 +30,7 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
-files_tmpfs_file(mozilla_tmpfs_t)
-ubac_constrained(mozilla_tmpfs_t)
+userdom_user_tmp_content(mozilla_t, mozilla_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 690589e..892057b 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -15,8 +15,7 @@ files_type(podsleuth_cache_t)
ubac_constrained(podsleuth_cache_t)
type podsleuth_tmp_t;
-files_tmp_file(podsleuth_tmp_t)
-ubac_constrained(podsleuth_tmp_t)
+userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
type podsleuth_tmpfs_t;
files_tmpfs_file(podsleuth_tmpfs_t)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 320df26..55e29cb 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -38,6 +38,8 @@ template(`screen_role_template',`
ubac_constrained($1_screen_t)
role $2 types $1_screen_t;
+ userdom_user_tmp_content($1_screen_t, screen_tmp_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 8c65cc6..a92649b 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -16,8 +16,6 @@ userdom_user_home_content(screen_home_t)
type screen_tmp_t;
typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
-files_tmp_file(screen_tmp_t)
-ubac_constrained(screen_tmp_t)
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index d736572..10d6692 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t)
type tvtime_tmp_t;
typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
-files_tmp_file(tvtime_tmp_t)
-ubac_constrained(tvtime_tmp_t)
+userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
type tvtime_tmpfs_t;
typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 2df1343..62960c0 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t)
type uml_tmp_t;
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
-files_tmp_file(uml_tmp_t)
-ubac_constrained(uml_tmp_t)
+userdom_user_tmp_content(uml_t, uml_tmp_t)
type uml_tmpfs_t;
typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 1f803bb..5bc77b4 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -31,15 +31,15 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
type vmware_host_pid_t alias vmware_var_run_t;
files_pid_file(vmware_host_pid_t)
+# If vmware_host_t is a system service then why does this have to be ubac constrained?
type vmware_host_tmp_t;
files_tmp_file(vmware_host_tmp_t)
-ubac_constrained(vmware_host_tmp_t)
+# If vmware_host_t is a system service then why does this have to be ubac constrained?
type vmware_log_t;
typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
logging_log_file(vmware_log_t)
-ubac_constrained(vmware_log_t)
type vmware_pid_t;
typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
@@ -54,8 +54,7 @@ files_type(vmware_sys_conf_t)
type vmware_tmp_t;
typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
-files_tmp_file(vmware_tmp_t)
-ubac_constrained(vmware_tmp_t)
+userdom_user_tmp_content(vmware_t, vmware_tmp_t)
type vmware_tmpfs_t;
typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..2835bec 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -12,8 +12,7 @@ ubac_constrained(wine_t)
role system_r types wine_t;
type wine_tmp_t;
-files_tmp_file(wine_tmp_t)
-ubac_constrained(wine_tmp_t)
+userdom_user_tmp_content(wine_t, wine_tmp_t)
########################################
#
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 31bbf17..ca29f80 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
-files_tmp_file(wireshark_tmp_t)
-ubac_constrained(wireshark_tmp_t)
+userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
type wireshark_tmpfs_t;
typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 215b86b..1d6ddf2 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -24,8 +24,7 @@ ubac_constrained(bluetooth_helper_t)
type bluetooth_helper_tmp_t;
typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
-files_tmp_file(bluetooth_helper_tmp_t)
-ubac_constrained(bluetooth_helper_tmp_t)
+userdom_user_tmp_content(bluetooth_helper_t, bluetooth_helper_tmp_t)
type bluetooth_helper_tmpfs_t;
typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 44caccc..80c88c1 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -22,7 +22,7 @@ template(`cron_common_crontab_template',`
ubac_constrained($1_t)
type $1_tmp_t;
- files_tmp_file($1_tmp_t)
+ userdom_user_tmp_content($1_t, $1_tmp_t)
##############################
#
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index d76131b..054d8b3 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -57,6 +57,8 @@ template(`dbus_role_template',`
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
+ userdom_user_tmp_content($1_dbusd_t, session_dbusd_tmp_t)
+
##############################
#
# Local policy
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b738e94..319e41e 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -22,8 +22,6 @@ typealias dbusd_exec_t alias system_dbusd_exec_t;
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
-files_tmp_file(session_dbusd_tmp_t)
-ubac_constrained(session_dbusd_tmp_t)
type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 93c14ca..a2c91f2 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -40,8 +40,7 @@ ubac_constrained(lpr_t)
type lpr_tmp_t;
typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
-files_tmp_file(lpr_tmp_t)
-ubac_constrained(lpr_tmp_t)
+userdom_user_tmp_content(lpr_t, lpr_tmp_t)
# Type for spool files.
type print_spool_t;
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index c57356a..9d3ef86 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -52,9 +52,10 @@ template(`mta_base_mail_template',`
type $1_mail_t, user_mail_domain;
application_domain($1_mail_t, sendmail_exec_t)
+ ubac_constrained($1_mail_t)
type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
+ userdom_user_tmp_content($1_mail_t, $1_mail_tmp_t)
##############################
#
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 64268e4..b1111b2 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -40,8 +40,6 @@ typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
-ubac_constrained(user_mail_t)
-ubac_constrained(user_mail_tmp_t)
########################################
#
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index cd683f9..2b30c50 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -24,8 +24,7 @@ userdom_user_home_content(pyzor_home_t)
type pyzor_tmp_t;
typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-files_tmp_file(pyzor_tmp_t)
-ubac_constrained(pyzor_tmp_t)
+userdom_user_tmp_content(pyzor_t, pyzor_tmp_t)
type pyzor_var_lib_t;
typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index e4ecbbd..ab30865 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -22,8 +22,7 @@ logging_log_file(razor_log_t)
type razor_tmp_t;
typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-files_tmp_file(razor_tmp_t)
-ubac_constrained(razor_tmp_t)
+userdom_user_tmp_content(razor_t, razor_tmp_t)
type razor_var_lib_t;
files_type(razor_var_lib_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index b6a8919..6847a9b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -34,8 +34,7 @@ userdom_user_home_content(spamassassin_home_t)
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-files_tmp_file(spamassassin_tmp_t)
-ubac_constrained(spamassassin_tmp_t)
+userdom_user_tmp_content(spamassassin_t, spamassassin_tmp_t)
type spamc_t;
type spamc_exec_t;
@@ -47,8 +46,7 @@ ubac_constrained(spamc_t)
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-files_tmp_file(spamc_tmp_t)
-ubac_constrained(spamc_tmp_t)
+userdom_user_tmp_content(spamc_t, spamc_tmp_t)
type spamd_t;
type spamd_exec_t;
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 567592d..ef3f32d 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -313,6 +313,8 @@ template(`ssh_role_template',`
ubac_constrained($1_ssh_agent_t)
role $2 types $1_ssh_agent_t;
+ userdom_user_tmp_content($1_ssh_agent_t, ssh_agent_tmp_t)
+
##############################
#
# Local policy
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..512834a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -57,8 +57,6 @@ corecmd_executable_file(ssh_agent_exec_t)
type ssh_agent_tmp_t;
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
-files_tmp_file(ssh_agent_tmp_t)
-ubac_constrained(ssh_agent_tmp_t)
type ssh_keysign_t;
type ssh_keysign_exec_t;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index d2b2626..f51b828 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -148,8 +148,7 @@ userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
-files_tmp_file(xauth_tmp_t)
-ubac_constrained(xauth_tmp_t)
+userdom_user_tmp_content(xauth_t, xauth_tmp_t)
# this is not actually a device, its a pipe
type xconsole_device_t;
@@ -199,8 +198,7 @@ ubac_constrained(xserver_t)
type xserver_tmp_t;
typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
+userdom_user_tmp_content(xserver_t, xserver_tmp_t)
type xserver_tmpfs_t;
typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index a3135e6..7d83ec3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1286,6 +1286,30 @@ interface(`userdom_user_home_content',`
########################################
## <summary>
+## Make the specified type usable user
+## temporary content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain using the user temporary
+## content.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Type to be used for user temporary
+## content.
+## </summary>
+## </param>
+#
+interface(`userdom_user_tmp_content',`
+ files_tmp_file($2)
+ files_poly_member_tmp($1, $2)
+ ubac_constrained($2)
+')
+
+########################################
+## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 69b2e0f..5dcefd4 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -87,6 +87,7 @@ ubac_constrained(user_devpts_t)
type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
+# Consider removing this
userdom_user_home_content(user_tmp_t)
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
--
1.7.1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100709/cbbb6a6e/attachment.bin
next reply other threads:[~2010-07-09 14:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-09 14:34 Dominick Grift [this message]
2010-07-12 18:09 ` [refpolicy] [ userdom_user_tmp_content patch 1/1] Create userdom_user_tmp_content, and replace existing user tmp content type declarations by it Christopher J. PeBenito
2010-07-12 19:26 ` Dominick Grift
2010-07-19 17:36 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100709143453.GA9716@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.