[refpolicy] [ usedom_user_tmpfs_content patch 1/1] Create userdom_user_tmpfs_content, and replace existing user tmpfs content type declarations by it.

[domg472@gmail.com (Dominick Grift)]

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 b1aeb7c... e5ea9e0... M	policy/modules/apps/evolution.te
:100644 100644 cea5c8c... 45c59f2... M	policy/modules/apps/games.te
:100644 100644 5bb9e30... 31546b7... M	policy/modules/apps/gift.te
:100644 100644 c6f1fe2... 78bfb13... M	policy/modules/apps/gpg.te
:100644 100644 143a522... 3bc449e... M	policy/modules/apps/java.te
:100644 100644 82c4a54... 4f4e249... M	policy/modules/apps/mplayer.te
:100644 100644 892057b... f05e641... M	policy/modules/apps/podsleuth.te
:100644 100644 6f08115... 58a924e... M	policy/modules/apps/thunderbird.te
:100644 100644 10d6692... 76b0605... M	policy/modules/apps/tvtime.te
:100644 100644 62960c0... 05d8159... M	policy/modules/apps/uml.te
:100644 100644 5bc77b4... b93fbad... M	policy/modules/apps/vmware.te
:100644 100644 ca29f80... 40f24a7... M	policy/modules/apps/wireshark.te
:100644 100644 1bdeb16... 3695f3c... M	policy/modules/apps/xscreensaver.te
:100644 100644 1d6ddf2... 6352ec1... M	policy/modules/services/bluetooth.te
:100644 100644 afbe9ac... deb52da... M	policy/modules/services/ssh.te
:100644 100644 f51b828... 5dfdcb7... M	policy/modules/services/xserver.te
:100644 100644 7d83ec3... 142f63b... M	policy/modules/system/userdomain.if
:100644 100644 089f74f... 357de70... M	policy/modules/system/userdomain.te
 policy/modules/apps/evolution.te     |   12 ++++--------
 policy/modules/apps/games.te         |    3 +--
 policy/modules/apps/gift.te          |    3 +--
 policy/modules/apps/gpg.te           |    3 +--
 policy/modules/apps/java.te          |    3 +--
 policy/modules/apps/mplayer.te       |    3 +--
 policy/modules/apps/podsleuth.te     |    3 +--
 policy/modules/apps/thunderbird.te   |    3 +--
 policy/modules/apps/tvtime.te        |    3 +--
 policy/modules/apps/uml.te           |    3 +--
 policy/modules/apps/vmware.te        |    3 +--
 policy/modules/apps/wireshark.te     |    3 +--
 policy/modules/apps/xscreensaver.te  |    3 +--
 policy/modules/services/bluetooth.te |    3 +--
 policy/modules/services/ssh.te       |    3 +--
 policy/modules/services/xserver.te   |    3 +--
 policy/modules/system/userdomain.if  |   17 +++++++++++++++++
 policy/modules/system/userdomain.te  |    3 ++-
 18 files changed, 38 insertions(+), 39 deletions(-)

diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index b1aeb7c..e5ea9e0 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -22,8 +22,7 @@ ubac_constrained(evolution_alarm_t)
 type evolution_alarm_tmpfs_t;
 typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
 typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
-files_tmpfs_file(evolution_alarm_tmpfs_t)
-ubac_constrained(evolution_alarm_tmpfs_t)
+userdom_user_tmpfs_content(evolution_alarm_tmpfs_t)
 
 type evolution_alarm_orbit_tmp_t;
 typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
@@ -40,8 +39,7 @@ ubac_constrained(evolution_exchange_t)
 type evolution_exchange_tmpfs_t;
 typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
 typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
-files_tmpfs_file(evolution_exchange_tmpfs_t)
-ubac_constrained(evolution_exchange_tmpfs_t)
+userdom_user_tmpfs_content(evolution_exchange_tmpfs_t)
 
 type evolution_exchange_tmp_t;
 typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
@@ -80,8 +78,7 @@ userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
 type evolution_tmpfs_t;
 typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
 typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
-files_tmpfs_file(evolution_tmpfs_t)
-ubac_constrained(evolution_tmpfs_t)
+userdom_user_tmpfs_content(evolution_tmpfs_t)
 
 type evolution_webcal_t;
 type evolution_webcal_exec_t;
@@ -93,8 +90,7 @@ ubac_constrained(evolution_webcal_t)
 type evolution_webcal_tmpfs_t;
 typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
 typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
-files_tmpfs_file(evolution_webcal_tmpfs_t)
-ubac_constrained(evolution_webcal_tmpfs_t)
+userdom_user_tmpfs_content(evolution_webcal_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index cea5c8c..45c59f2 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -40,8 +40,7 @@ userdom_user_tmp_content(games_t, games_tmp_t)
 type games_tmpfs_t;
 typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
 typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
-files_tmpfs_file(games_tmpfs_t)
-ubac_constrained(games_tmpfs_t)
+userdom_user_tmpfs_content(games_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 5bb9e30..31546b7 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -20,8 +20,7 @@ userdom_user_home_content(gift_home_t)
 type gift_tmpfs_t;
 typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
 typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
-files_tmpfs_file(gift_tmpfs_t)
-ubac_constrained(gift_tmpfs_t)
+userdom_user_tmpfs_content(gift_tmpfs_t)
 
 type giftd_t;
 type giftd_exec_t;
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index c6f1fe2..78bfb13 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -57,8 +57,7 @@ type gpg_pinentry_tmp_t;
 userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
 
 type gpg_pinentry_tmpfs_t;
-files_tmpfs_file(gpg_pinentry_tmpfs_t)
-ubac_constrained(gpg_pinentry_tmpfs_t)
+userdom_user_tmpfs_content(gpg_pinentry_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 143a522..3bc449e 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -26,10 +26,9 @@ typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }
 userdom_user_tmp_content(java_t, java_tmp_t)
 
 type java_tmpfs_t;
-ubac_constrained(java_tmpfs_t)
-files_tmpfs_file(java_tmpfs_t)
 typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
 typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+userdom_user_tmpfs_content(java_tmpfs_t)
 
 type unconfined_java_t;
 init_system_domain(unconfined_java_t, java_exec_t)
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 82c4a54..4f4e249 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -37,8 +37,7 @@ userdom_user_home_content(mplayer_home_t)
 type mplayer_tmpfs_t;
 typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
 typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
-files_tmpfs_file(mplayer_tmpfs_t)
-ubac_constrained(mplayer_tmpfs_t)
+userdom_user_tmpfs_content(mplayer_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 892057b..f05e641 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -18,8 +18,7 @@ type podsleuth_tmp_t;
 userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
 
 type podsleuth_tmpfs_t;
-files_tmpfs_file(podsleuth_tmpfs_t)
-ubac_constrained(podsleuth_tmpfs_t)
+userdom_user_tmpfs_content(podsleuth_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 6f08115..58a924e 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -20,8 +20,7 @@ userdom_user_home_content(thunderbird_home_t)
 type thunderbird_tmpfs_t;
 typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
 typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
-files_tmpfs_file(thunderbird_tmpfs_t)
-ubac_constrained(thunderbird_tmpfs_t)
+userdom_user_tmpfs_content(thunderbird_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 10d6692..76b0605 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -25,8 +25,7 @@ userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
 type tvtime_tmpfs_t;
 typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
 typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
-files_tmpfs_file(tvtime_tmpfs_t)
-ubac_constrained(tvtime_tmpfs_t)
+userdom_user_tmpfs_content(tvtime_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 62960c0..05d8159 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -30,8 +30,7 @@ userdom_user_tmp_content(uml_t, uml_tmp_t)
 type uml_tmpfs_t;
 typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
 typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
-files_tmpfs_file(uml_tmpfs_t)
-ubac_constrained(uml_tmpfs_t)
+userdom_user_tmpfs_content(uml_tmpfs_t)
 
 type uml_devpts_t;
 typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 5bc77b4..b93fbad 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -59,8 +59,7 @@ userdom_user_tmp_content(vmware_t, vmware_tmp_t)
 type vmware_tmpfs_t;
 typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
 typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
-files_tmpfs_file(vmware_tmpfs_t)
-ubac_constrained(vmware_tmpfs_t)
+userdom_user_tmpfs_content(vmware_tmpfs_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index ca29f80..40f24a7 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -25,8 +25,7 @@ userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
 type wireshark_tmpfs_t;
 typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
 typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
-files_tmpfs_file(wireshark_tmpfs_t)
-ubac_constrained(wireshark_tmpfs_t)
+userdom_user_tmpfs_content(wireshark_tmpfs_t)
 
 ##############################
 #
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 1bdeb16..3695f3c 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -11,8 +11,7 @@ application_domain(xscreensaver_t, xscreensaver_exec_t)
 ubac_constrained(xscreensaver_t)
 
 type xscreensaver_tmpfs_t;
-files_tmpfs_file(xscreensaver_tmpfs_t)
-ubac_constrained(xscreensaver_tmpfs_t)
+userdom_user_tmpfs_content(xscreensaver_tmpfs_t)
 
 ########################################
 #
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 1d6ddf2..6352ec1 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -29,8 +29,7 @@ userdom_user_tmp_content(bluetooth_helper_t, bluetooth_helper_tmp_t)
 type bluetooth_helper_tmpfs_t;
 typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
 typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t };
-files_tmpfs_file(bluetooth_helper_tmpfs_t)
-ubac_constrained(bluetooth_helper_tmpfs_t)
+userdom_user_tmpfs_content(bluetooth_helper_tmpfs_t)
 
 type bluetooth_initrc_exec_t;
 init_script_file(bluetooth_initrc_exec_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index afbe9ac..deb52da 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -68,8 +68,7 @@ ubac_constrained(ssh_keysign_t)
 type ssh_tmpfs_t;
 typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
 typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
-files_tmpfs_file(ssh_tmpfs_t)
-ubac_constrained(ssh_tmpfs_t)
+userdom_user_tmpfs_content(ssh_tmpfs_t)
 
 type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f51b828..5dfdcb7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -203,8 +203,7 @@ userdom_user_tmp_content(xserver_t, xserver_tmp_t)
 type xserver_tmpfs_t;
 typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
 typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
-files_tmpfs_file(xserver_tmpfs_t)
-ubac_constrained(xserver_tmpfs_t)
+userdom_user_tmpfs_content(xserver_tmpfs_t)
 
 type xsession_exec_t;
 corecmd_executable_file(xsession_exec_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7d83ec3..142f63b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1310,6 +1310,23 @@ interface(`userdom_user_tmp_content',`
 
 ########################################
 ## <summary>
+##	Make the specified type usable user
+##	shared memory content.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for user shared
+##	memory content.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_tmpfs_content',`
+	files_tmpfs_file($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
 ##	Allow domain to attach to TUN devices created by administrative users.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 089f74f..357de70 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -89,7 +89,8 @@ files_tmp_file(user_tmp_t)
 userdom_user_home_content(user_tmp_t)
 
 type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
-files_tmpfs_file(user_tmpfs_t)
+userdom_user_tmpfs_content(user_tmpfs_t)
+# Consider removing this
 userdom_user_home_content(user_tmpfs_t)
 
 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
-- 
1.7.1.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100709/99a02304/attachment.bin