1 |
commit: e46ed57244089ec585dcce05d50ea3b708e55196 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu May 12 19:12:24 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 26 15:33:31 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e46ed572 |
7 |
|
8 |
userdomain: user_tmp requires searching /run/user |
9 |
|
10 |
policy/modules/system/userdomain.if | 65 +++++++++++++++++++++++++++++-------- |
11 |
1 file changed, 52 insertions(+), 13 deletions(-) |
12 |
|
13 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
14 |
index 9284808..0d6d9b1 100644 |
15 |
--- a/policy/modules/system/userdomain.if |
16 |
+++ b/policy/modules/system/userdomain.if |
17 |
@@ -339,11 +339,14 @@ interface(`userdom_manage_tmp_role',` |
18 |
# |
19 |
interface(`userdom_exec_user_tmp_files',` |
20 |
gen_require(` |
21 |
- type user_tmp_t; |
22 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
23 |
') |
24 |
|
25 |
exec_files_pattern($1, user_tmp_t, user_tmp_t) |
26 |
files_search_tmp($1) |
27 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
28 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
29 |
+ files_search_pids($1) |
30 |
') |
31 |
|
32 |
####################################### |
33 |
@@ -2368,11 +2371,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` |
34 |
# |
35 |
interface(`userdom_write_user_tmp_sockets',` |
36 |
gen_require(` |
37 |
- type user_tmp_t; |
38 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
39 |
') |
40 |
|
41 |
allow $1 user_tmp_t:sock_file write_sock_file_perms; |
42 |
files_search_tmp($1) |
43 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
44 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
45 |
+ files_search_pids($1) |
46 |
') |
47 |
|
48 |
######################################## |
49 |
@@ -2387,11 +2393,14 @@ interface(`userdom_write_user_tmp_sockets',` |
50 |
# |
51 |
interface(`userdom_list_user_tmp',` |
52 |
gen_require(` |
53 |
- type user_tmp_t; |
54 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
55 |
') |
56 |
|
57 |
allow $1 user_tmp_t:dir list_dir_perms; |
58 |
+ allow $1 user_runtime_dir_t:dir list_dir_perms; |
59 |
files_search_tmp($1) |
60 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
61 |
+ files_search_pids($1) |
62 |
') |
63 |
|
64 |
######################################## |
65 |
@@ -2444,12 +2453,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` |
66 |
# |
67 |
interface(`userdom_read_user_tmp_files',` |
68 |
gen_require(` |
69 |
- type user_tmp_t; |
70 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
71 |
') |
72 |
|
73 |
read_files_pattern($1, user_tmp_t, user_tmp_t) |
74 |
allow $1 user_tmp_t:dir list_dir_perms; |
75 |
files_search_tmp($1) |
76 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
77 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
78 |
+ files_search_pids($1) |
79 |
') |
80 |
|
81 |
######################################## |
82 |
@@ -2502,12 +2514,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',` |
83 |
# |
84 |
interface(`userdom_rw_user_tmp_files',` |
85 |
gen_require(` |
86 |
- type user_tmp_t; |
87 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
88 |
') |
89 |
|
90 |
allow $1 user_tmp_t:dir list_dir_perms; |
91 |
rw_files_pattern($1, user_tmp_t, user_tmp_t) |
92 |
files_search_tmp($1) |
93 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
94 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
95 |
+ files_search_pids($1) |
96 |
') |
97 |
|
98 |
######################################## |
99 |
@@ -2541,12 +2556,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',` |
100 |
# |
101 |
interface(`userdom_read_user_tmp_symlinks',` |
102 |
gen_require(` |
103 |
- type user_tmp_t; |
104 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
105 |
') |
106 |
|
107 |
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
108 |
allow $1 user_tmp_t:dir list_dir_perms; |
109 |
files_search_tmp($1) |
110 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
111 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
112 |
+ files_search_pids($1) |
113 |
') |
114 |
|
115 |
######################################## |
116 |
@@ -2562,11 +2580,14 @@ interface(`userdom_read_user_tmp_symlinks',` |
117 |
# |
118 |
interface(`userdom_manage_user_tmp_dirs',` |
119 |
gen_require(` |
120 |
- type user_tmp_t; |
121 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
122 |
') |
123 |
|
124 |
manage_dirs_pattern($1, user_tmp_t, user_tmp_t) |
125 |
files_search_tmp($1) |
126 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
127 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
128 |
+ files_search_pids($1) |
129 |
') |
130 |
|
131 |
######################################## |
132 |
@@ -2582,11 +2603,14 @@ interface(`userdom_manage_user_tmp_dirs',` |
133 |
# |
134 |
interface(`userdom_manage_user_tmp_files',` |
135 |
gen_require(` |
136 |
- type user_tmp_t; |
137 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
138 |
') |
139 |
|
140 |
manage_files_pattern($1, user_tmp_t, user_tmp_t) |
141 |
files_search_tmp($1) |
142 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
143 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
144 |
+ files_search_pids($1) |
145 |
') |
146 |
|
147 |
######################################## |
148 |
@@ -2602,11 +2626,14 @@ interface(`userdom_manage_user_tmp_files',` |
149 |
# |
150 |
interface(`userdom_manage_user_tmp_symlinks',` |
151 |
gen_require(` |
152 |
- type user_tmp_t; |
153 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
154 |
') |
155 |
|
156 |
manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
157 |
files_search_tmp($1) |
158 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
159 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
160 |
+ files_search_pids($1) |
161 |
') |
162 |
|
163 |
######################################## |
164 |
@@ -2622,11 +2649,14 @@ interface(`userdom_manage_user_tmp_symlinks',` |
165 |
# |
166 |
interface(`userdom_manage_user_tmp_pipes',` |
167 |
gen_require(` |
168 |
- type user_tmp_t; |
169 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
170 |
') |
171 |
|
172 |
manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) |
173 |
files_search_tmp($1) |
174 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
175 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
176 |
+ files_search_pids($1) |
177 |
') |
178 |
|
179 |
######################################## |
180 |
@@ -2642,11 +2672,14 @@ interface(`userdom_manage_user_tmp_pipes',` |
181 |
# |
182 |
interface(`userdom_manage_user_tmp_sockets',` |
183 |
gen_require(` |
184 |
- type user_tmp_t; |
185 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
186 |
') |
187 |
|
188 |
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) |
189 |
files_search_tmp($1) |
190 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
191 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
192 |
+ files_search_pids($1) |
193 |
') |
194 |
|
195 |
######################################## |
196 |
@@ -2678,11 +2711,14 @@ interface(`userdom_manage_user_tmp_sockets',` |
197 |
# |
198 |
interface(`userdom_user_tmp_filetrans',` |
199 |
gen_require(` |
200 |
- type user_tmp_t; |
201 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
202 |
') |
203 |
|
204 |
filetrans_pattern($1, user_tmp_t, $2, $3, $4) |
205 |
files_search_tmp($1) |
206 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
207 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
208 |
+ files_search_pids($1) |
209 |
') |
210 |
|
211 |
######################################## |
212 |
@@ -3655,9 +3691,12 @@ interface(`userdom_manage_all_user_home_content',` |
213 |
# |
214 |
interface(`userdom_manage_user_tmp_chr_files',` |
215 |
gen_require(` |
216 |
- type user_tmp_t; |
217 |
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; |
218 |
') |
219 |
|
220 |
manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) |
221 |
files_search_tmp($1) |
222 |
+ allow $1 user_runtime_dir_t:dir search_dir_perms; |
223 |
+ allow $1 user_runtime_root_t:dir search_dir_perms; |
224 |
+ files_search_pids($1) |
225 |
') |