Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
Date: Thu, 26 May 2016 15:54:32
Message-Id: 1464276811.e46ed57244089ec585dcce05d50ea3b708e55196.perfinion@gentoo
1 commit: e46ed57244089ec585dcce05d50ea3b708e55196
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Thu May 12 19:12:24 2016 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Thu May 26 15:33:31 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e46ed572
7
8 userdomain: user_tmp requires searching /run/user
9
10 policy/modules/system/userdomain.if | 65 +++++++++++++++++++++++++++++--------
11 1 file changed, 52 insertions(+), 13 deletions(-)
12
13 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
14 index 9284808..0d6d9b1 100644
15 --- a/policy/modules/system/userdomain.if
16 +++ b/policy/modules/system/userdomain.if
17 @@ -339,11 +339,14 @@ interface(`userdom_manage_tmp_role',`
18 #
19 interface(`userdom_exec_user_tmp_files',`
20 gen_require(`
21 - type user_tmp_t;
22 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
23 ')
24
25 exec_files_pattern($1, user_tmp_t, user_tmp_t)
26 files_search_tmp($1)
27 + allow $1 user_runtime_dir_t:dir search_dir_perms;
28 + allow $1 user_runtime_root_t:dir search_dir_perms;
29 + files_search_pids($1)
30 ')
31
32 #######################################
33 @@ -2368,11 +2371,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
34 #
35 interface(`userdom_write_user_tmp_sockets',`
36 gen_require(`
37 - type user_tmp_t;
38 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
39 ')
40
41 allow $1 user_tmp_t:sock_file write_sock_file_perms;
42 files_search_tmp($1)
43 + allow $1 user_runtime_dir_t:dir search_dir_perms;
44 + allow $1 user_runtime_root_t:dir search_dir_perms;
45 + files_search_pids($1)
46 ')
47
48 ########################################
49 @@ -2387,11 +2393,14 @@ interface(`userdom_write_user_tmp_sockets',`
50 #
51 interface(`userdom_list_user_tmp',`
52 gen_require(`
53 - type user_tmp_t;
54 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
55 ')
56
57 allow $1 user_tmp_t:dir list_dir_perms;
58 + allow $1 user_runtime_dir_t:dir list_dir_perms;
59 files_search_tmp($1)
60 + allow $1 user_runtime_root_t:dir search_dir_perms;
61 + files_search_pids($1)
62 ')
63
64 ########################################
65 @@ -2444,12 +2453,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
66 #
67 interface(`userdom_read_user_tmp_files',`
68 gen_require(`
69 - type user_tmp_t;
70 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
71 ')
72
73 read_files_pattern($1, user_tmp_t, user_tmp_t)
74 allow $1 user_tmp_t:dir list_dir_perms;
75 files_search_tmp($1)
76 + allow $1 user_runtime_dir_t:dir search_dir_perms;
77 + allow $1 user_runtime_root_t:dir search_dir_perms;
78 + files_search_pids($1)
79 ')
80
81 ########################################
82 @@ -2502,12 +2514,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
83 #
84 interface(`userdom_rw_user_tmp_files',`
85 gen_require(`
86 - type user_tmp_t;
87 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
88 ')
89
90 allow $1 user_tmp_t:dir list_dir_perms;
91 rw_files_pattern($1, user_tmp_t, user_tmp_t)
92 files_search_tmp($1)
93 + allow $1 user_runtime_dir_t:dir search_dir_perms;
94 + allow $1 user_runtime_root_t:dir search_dir_perms;
95 + files_search_pids($1)
96 ')
97
98 ########################################
99 @@ -2541,12 +2556,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',`
100 #
101 interface(`userdom_read_user_tmp_symlinks',`
102 gen_require(`
103 - type user_tmp_t;
104 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
105 ')
106
107 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
108 allow $1 user_tmp_t:dir list_dir_perms;
109 files_search_tmp($1)
110 + allow $1 user_runtime_dir_t:dir search_dir_perms;
111 + allow $1 user_runtime_root_t:dir search_dir_perms;
112 + files_search_pids($1)
113 ')
114
115 ########################################
116 @@ -2562,11 +2580,14 @@ interface(`userdom_read_user_tmp_symlinks',`
117 #
118 interface(`userdom_manage_user_tmp_dirs',`
119 gen_require(`
120 - type user_tmp_t;
121 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
122 ')
123
124 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
125 files_search_tmp($1)
126 + allow $1 user_runtime_dir_t:dir search_dir_perms;
127 + allow $1 user_runtime_root_t:dir search_dir_perms;
128 + files_search_pids($1)
129 ')
130
131 ########################################
132 @@ -2582,11 +2603,14 @@ interface(`userdom_manage_user_tmp_dirs',`
133 #
134 interface(`userdom_manage_user_tmp_files',`
135 gen_require(`
136 - type user_tmp_t;
137 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
138 ')
139
140 manage_files_pattern($1, user_tmp_t, user_tmp_t)
141 files_search_tmp($1)
142 + allow $1 user_runtime_dir_t:dir search_dir_perms;
143 + allow $1 user_runtime_root_t:dir search_dir_perms;
144 + files_search_pids($1)
145 ')
146
147 ########################################
148 @@ -2602,11 +2626,14 @@ interface(`userdom_manage_user_tmp_files',`
149 #
150 interface(`userdom_manage_user_tmp_symlinks',`
151 gen_require(`
152 - type user_tmp_t;
153 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
154 ')
155
156 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
157 files_search_tmp($1)
158 + allow $1 user_runtime_dir_t:dir search_dir_perms;
159 + allow $1 user_runtime_root_t:dir search_dir_perms;
160 + files_search_pids($1)
161 ')
162
163 ########################################
164 @@ -2622,11 +2649,14 @@ interface(`userdom_manage_user_tmp_symlinks',`
165 #
166 interface(`userdom_manage_user_tmp_pipes',`
167 gen_require(`
168 - type user_tmp_t;
169 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
170 ')
171
172 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
173 files_search_tmp($1)
174 + allow $1 user_runtime_dir_t:dir search_dir_perms;
175 + allow $1 user_runtime_root_t:dir search_dir_perms;
176 + files_search_pids($1)
177 ')
178
179 ########################################
180 @@ -2642,11 +2672,14 @@ interface(`userdom_manage_user_tmp_pipes',`
181 #
182 interface(`userdom_manage_user_tmp_sockets',`
183 gen_require(`
184 - type user_tmp_t;
185 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
186 ')
187
188 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
189 files_search_tmp($1)
190 + allow $1 user_runtime_dir_t:dir search_dir_perms;
191 + allow $1 user_runtime_root_t:dir search_dir_perms;
192 + files_search_pids($1)
193 ')
194
195 ########################################
196 @@ -2678,11 +2711,14 @@ interface(`userdom_manage_user_tmp_sockets',`
197 #
198 interface(`userdom_user_tmp_filetrans',`
199 gen_require(`
200 - type user_tmp_t;
201 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
202 ')
203
204 filetrans_pattern($1, user_tmp_t, $2, $3, $4)
205 files_search_tmp($1)
206 + allow $1 user_runtime_dir_t:dir search_dir_perms;
207 + allow $1 user_runtime_root_t:dir search_dir_perms;
208 + files_search_pids($1)
209 ')
210
211 ########################################
212 @@ -3655,9 +3691,12 @@ interface(`userdom_manage_all_user_home_content',`
213 #
214 interface(`userdom_manage_user_tmp_chr_files',`
215 gen_require(`
216 - type user_tmp_t;
217 + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
218 ')
219
220 manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
221 files_search_tmp($1)
222 + allow $1 user_runtime_dir_t:dir search_dir_perms;
223 + allow $1 user_runtime_root_t:dir search_dir_perms;
224 + files_search_pids($1)
225 ')
Report Message
Find on MARC Find on Google Groups