From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 12 Jul 2010 14:52:03 -0400
Subject: [refpolicy] [ usedom_user_tmpfs_content patch 1/1] Create
 userdom_user_tmpfs_content,
 and replace existing user tmpfs content type declarations by it.
In-Reply-To: <20100709151215.GA12030@localhost.localdomain>
References: <20100709151215.GA12030@localhost.localdomain>
Message-ID: <4C3B6453.7070000@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/09/10 11:12, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<domg472@gmail.com>

Doesn't apply.

> ---
> :100644 100644 b1aeb7c... e5ea9e0... M	policy/modules/apps/evolution.te
> :100644 100644 cea5c8c... 45c59f2... M	policy/modules/apps/games.te
> :100644 100644 5bb9e30... 31546b7... M	policy/modules/apps/gift.te
> :100644 100644 c6f1fe2... 78bfb13... M	policy/modules/apps/gpg.te
> :100644 100644 143a522... 3bc449e... M	policy/modules/apps/java.te
> :100644 100644 82c4a54... 4f4e249... M	policy/modules/apps/mplayer.te
> :100644 100644 892057b... f05e641... M	policy/modules/apps/podsleuth.te
> :100644 100644 6f08115... 58a924e... M	policy/modules/apps/thunderbird.te
> :100644 100644 10d6692... 76b0605... M	policy/modules/apps/tvtime.te
> :100644 100644 62960c0... 05d8159... M	policy/modules/apps/uml.te
> :100644 100644 5bc77b4... b93fbad... M	policy/modules/apps/vmware.te
> :100644 100644 ca29f80... 40f24a7... M	policy/modules/apps/wireshark.te
> :100644 100644 1bdeb16... 3695f3c... M	policy/modules/apps/xscreensaver.te
> :100644 100644 1d6ddf2... 6352ec1... M	policy/modules/services/bluetooth.te
> :100644 100644 afbe9ac... deb52da... M	policy/modules/services/ssh.te
> :100644 100644 f51b828... 5dfdcb7... M	policy/modules/services/xserver.te
> :100644 100644 7d83ec3... 142f63b... M	policy/modules/system/userdomain.if
> :100644 100644 089f74f... 357de70... M	policy/modules/system/userdomain.te
>   policy/modules/apps/evolution.te     |   12 ++++--------
>   policy/modules/apps/games.te         |    3 +--
>   policy/modules/apps/gift.te          |    3 +--
>   policy/modules/apps/gpg.te           |    3 +--
>   policy/modules/apps/java.te          |    3 +--
>   policy/modules/apps/mplayer.te       |    3 +--
>   policy/modules/apps/podsleuth.te     |    3 +--
>   policy/modules/apps/thunderbird.te   |    3 +--
>   policy/modules/apps/tvtime.te        |    3 +--
>   policy/modules/apps/uml.te           |    3 +--
>   policy/modules/apps/vmware.te        |    3 +--
>   policy/modules/apps/wireshark.te     |    3 +--
>   policy/modules/apps/xscreensaver.te  |    3 +--
>   policy/modules/services/bluetooth.te |    3 +--
>   policy/modules/services/ssh.te       |    3 +--
>   policy/modules/services/xserver.te   |    3 +--
>   policy/modules/system/userdomain.if  |   17 +++++++++++++++++
>   policy/modules/system/userdomain.te  |    3 ++-
>   18 files changed, 38 insertions(+), 39 deletions(-)
>
> diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
> index b1aeb7c..e5ea9e0 100644
> --- a/policy/modules/apps/evolution.te
> +++ b/policy/modules/apps/evolution.te
> @@ -22,8 +22,7 @@ ubac_constrained(evolution_alarm_t)
>   type evolution_alarm_tmpfs_t;
>   typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
>   typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
> -files_tmpfs_file(evolution_alarm_tmpfs_t)
> -ubac_constrained(evolution_alarm_tmpfs_t)
> +userdom_user_tmpfs_content(evolution_alarm_tmpfs_t)
>
>   type evolution_alarm_orbit_tmp_t;
>   typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
> @@ -40,8 +39,7 @@ ubac_constrained(evolution_exchange_t)
>   type evolution_exchange_tmpfs_t;
>   typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
>   typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
> -files_tmpfs_file(evolution_exchange_tmpfs_t)
> -ubac_constrained(evolution_exchange_tmpfs_t)
> +userdom_user_tmpfs_content(evolution_exchange_tmpfs_t)
>
>   type evolution_exchange_tmp_t;
>   typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
> @@ -80,8 +78,7 @@ userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
>   type evolution_tmpfs_t;
>   typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
>   typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
> -files_tmpfs_file(evolution_tmpfs_t)
> -ubac_constrained(evolution_tmpfs_t)
> +userdom_user_tmpfs_content(evolution_tmpfs_t)
>
>   type evolution_webcal_t;
>   type evolution_webcal_exec_t;
> @@ -93,8 +90,7 @@ ubac_constrained(evolution_webcal_t)
>   type evolution_webcal_tmpfs_t;
>   typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
>   typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
> -files_tmpfs_file(evolution_webcal_tmpfs_t)
> -ubac_constrained(evolution_webcal_tmpfs_t)
> +userdom_user_tmpfs_content(evolution_webcal_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
> index cea5c8c..45c59f2 100644
> --- a/policy/modules/apps/games.te
> +++ b/policy/modules/apps/games.te
> @@ -40,8 +40,7 @@ userdom_user_tmp_content(games_t, games_tmp_t)
>   type games_tmpfs_t;
>   typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
>   typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
> -files_tmpfs_file(games_tmpfs_t)
> -ubac_constrained(games_tmpfs_t)
> +userdom_user_tmpfs_content(games_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
> index 5bb9e30..31546b7 100644
> --- a/policy/modules/apps/gift.te
> +++ b/policy/modules/apps/gift.te
> @@ -20,8 +20,7 @@ userdom_user_home_content(gift_home_t)
>   type gift_tmpfs_t;
>   typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
>   typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
> -files_tmpfs_file(gift_tmpfs_t)
> -ubac_constrained(gift_tmpfs_t)
> +userdom_user_tmpfs_content(gift_tmpfs_t)
>
>   type giftd_t;
>   type giftd_exec_t;
> diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
> index c6f1fe2..78bfb13 100644
> --- a/policy/modules/apps/gpg.te
> +++ b/policy/modules/apps/gpg.te
> @@ -57,8 +57,7 @@ type gpg_pinentry_tmp_t;
>   userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
>
>   type gpg_pinentry_tmpfs_t;
> -files_tmpfs_file(gpg_pinentry_tmpfs_t)
> -ubac_constrained(gpg_pinentry_tmpfs_t)
> +userdom_user_tmpfs_content(gpg_pinentry_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
> index 143a522..3bc449e 100644
> --- a/policy/modules/apps/java.te
> +++ b/policy/modules/apps/java.te
> @@ -26,10 +26,9 @@ typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }
>   userdom_user_tmp_content(java_t, java_tmp_t)
>
>   type java_tmpfs_t;
> -ubac_constrained(java_tmpfs_t)
> -files_tmpfs_file(java_tmpfs_t)
>   typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
>   typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
> +userdom_user_tmpfs_content(java_tmpfs_t)
>
>   type unconfined_java_t;
>   init_system_domain(unconfined_java_t, java_exec_t)
> diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
> index 82c4a54..4f4e249 100644
> --- a/policy/modules/apps/mplayer.te
> +++ b/policy/modules/apps/mplayer.te
> @@ -37,8 +37,7 @@ userdom_user_home_content(mplayer_home_t)
>   type mplayer_tmpfs_t;
>   typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
>   typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
> -files_tmpfs_file(mplayer_tmpfs_t)
> -ubac_constrained(mplayer_tmpfs_t)
> +userdom_user_tmpfs_content(mplayer_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
> index 892057b..f05e641 100644
> --- a/policy/modules/apps/podsleuth.te
> +++ b/policy/modules/apps/podsleuth.te
> @@ -18,8 +18,7 @@ type podsleuth_tmp_t;
>   userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
>
>   type podsleuth_tmpfs_t;
> -files_tmpfs_file(podsleuth_tmpfs_t)
> -ubac_constrained(podsleuth_tmpfs_t)
> +userdom_user_tmpfs_content(podsleuth_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
> index 6f08115..58a924e 100644
> --- a/policy/modules/apps/thunderbird.te
> +++ b/policy/modules/apps/thunderbird.te
> @@ -20,8 +20,7 @@ userdom_user_home_content(thunderbird_home_t)
>   type thunderbird_tmpfs_t;
>   typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
>   typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
> -files_tmpfs_file(thunderbird_tmpfs_t)
> -ubac_constrained(thunderbird_tmpfs_t)
> +userdom_user_tmpfs_content(thunderbird_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
> index 10d6692..76b0605 100644
> --- a/policy/modules/apps/tvtime.te
> +++ b/policy/modules/apps/tvtime.te
> @@ -25,8 +25,7 @@ userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
>   type tvtime_tmpfs_t;
>   typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
>   typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
> -files_tmpfs_file(tvtime_tmpfs_t)
> -ubac_constrained(tvtime_tmpfs_t)
> +userdom_user_tmpfs_content(tvtime_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
> index 62960c0..05d8159 100644
> --- a/policy/modules/apps/uml.te
> +++ b/policy/modules/apps/uml.te
> @@ -30,8 +30,7 @@ userdom_user_tmp_content(uml_t, uml_tmp_t)
>   type uml_tmpfs_t;
>   typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
>   typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
> -files_tmpfs_file(uml_tmpfs_t)
> -ubac_constrained(uml_tmpfs_t)
> +userdom_user_tmpfs_content(uml_tmpfs_t)
>
>   type uml_devpts_t;
>   typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
> diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
> index 5bc77b4..b93fbad 100644
> --- a/policy/modules/apps/vmware.te
> +++ b/policy/modules/apps/vmware.te
> @@ -59,8 +59,7 @@ userdom_user_tmp_content(vmware_t, vmware_tmp_t)
>   type vmware_tmpfs_t;
>   typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
>   typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
> -files_tmpfs_file(vmware_tmpfs_t)
> -ubac_constrained(vmware_tmpfs_t)
> +userdom_user_tmpfs_content(vmware_tmpfs_t)
>
>   ifdef(`enable_mcs',`
>   	init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
> diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
> index ca29f80..40f24a7 100644
> --- a/policy/modules/apps/wireshark.te
> +++ b/policy/modules/apps/wireshark.te
> @@ -25,8 +25,7 @@ userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
>   type wireshark_tmpfs_t;
>   typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
>   typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
> -files_tmpfs_file(wireshark_tmpfs_t)
> -ubac_constrained(wireshark_tmpfs_t)
> +userdom_user_tmpfs_content(wireshark_tmpfs_t)
>
>   ##############################
>   #
> diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
> index 1bdeb16..3695f3c 100644
> --- a/policy/modules/apps/xscreensaver.te
> +++ b/policy/modules/apps/xscreensaver.te
> @@ -11,8 +11,7 @@ application_domain(xscreensaver_t, xscreensaver_exec_t)
>   ubac_constrained(xscreensaver_t)
>
>   type xscreensaver_tmpfs_t;
> -files_tmpfs_file(xscreensaver_tmpfs_t)
> -ubac_constrained(xscreensaver_tmpfs_t)
> +userdom_user_tmpfs_content(xscreensaver_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index 1d6ddf2..6352ec1 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -29,8 +29,7 @@ userdom_user_tmp_content(bluetooth_helper_t, bluetooth_helper_tmp_t)
>   type bluetooth_helper_tmpfs_t;
>   typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
>   typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t };
> -files_tmpfs_file(bluetooth_helper_tmpfs_t)
> -ubac_constrained(bluetooth_helper_tmpfs_t)
> +userdom_user_tmpfs_content(bluetooth_helper_tmpfs_t)
>
>   type bluetooth_initrc_exec_t;
>   init_script_file(bluetooth_initrc_exec_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index afbe9ac..deb52da 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -68,8 +68,7 @@ ubac_constrained(ssh_keysign_t)
>   type ssh_tmpfs_t;
>   typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
>   typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
> -files_tmpfs_file(ssh_tmpfs_t)
> -ubac_constrained(ssh_tmpfs_t)
> +userdom_user_tmpfs_content(ssh_tmpfs_t)
>
>   type ssh_home_t;
>   typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f51b828..5dfdcb7 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -203,8 +203,7 @@ userdom_user_tmp_content(xserver_t, xserver_tmp_t)
>   type xserver_tmpfs_t;
>   typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
>   typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
> -files_tmpfs_file(xserver_tmpfs_t)
> -ubac_constrained(xserver_tmpfs_t)
> +userdom_user_tmpfs_content(xserver_tmpfs_t)
>
>   type xsession_exec_t;
>   corecmd_executable_file(xsession_exec_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 7d83ec3..142f63b 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1310,6 +1310,23 @@ interface(`userdom_user_tmp_content',`
>
>   ########################################
>   ##<summary>
> +##	Make the specified type usable user
> +##	shared memory content.
> +##</summary>
> +##<param name="type">
> +##	<summary>
> +##	Type to be used for user shared
> +##	memory content.
> +##	</summary>
> +##</param>
> +#
> +interface(`userdom_user_tmpfs_content',`
> +	files_tmpfs_file($1)
> +	ubac_constrained($1)
> +')
> +
> +########################################
> +##<summary>
>   ##	Allow domain to attach to TUN devices created by administrative users.
>   ##</summary>
>   ##<param name="domain">
> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> index 089f74f..357de70 100644
> --- a/policy/modules/system/userdomain.te
> +++ b/policy/modules/system/userdomain.te
> @@ -89,7 +89,8 @@ files_tmp_file(user_tmp_t)
>   userdom_user_home_content(user_tmp_t)
>
>   type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
> -files_tmpfs_file(user_tmpfs_t)
> +userdom_user_tmpfs_content(user_tmpfs_t)
> +# Consider removing this
>   userdom_user_home_content(user_tmpfs_t)
>
>   type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com