| 1 |
commit: 95b1ba94ad4c7ce6466bd54c4afd73a4a23c36b8 |
| 2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
| 3 |
AuthorDate: Sat Mar 25 17:45:37 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Mar 30 11:46:17 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95b1ba94 |
| 7 |
|
| 8 |
another version of systemd cgroups hostnamed and logind |
| 9 |
|
| 10 |
From Russell Coker |
| 11 |
|
| 12 |
policy/modules/kernel/devices.if | 18 ++++++ |
| 13 |
policy/modules/kernel/devices.te | 2 +- |
| 14 |
policy/modules/kernel/filesystem.if | 18 ++++++ |
| 15 |
policy/modules/kernel/filesystem.te | 2 +- |
| 16 |
policy/modules/services/xserver.if | 38 +++++++++++++ |
| 17 |
policy/modules/services/xserver.te | 2 +- |
| 18 |
policy/modules/system/systemd.te | 108 +++++++++++++++++++++++++++++++----- |
| 19 |
policy/modules/system/udev.if | 19 +++++++ |
| 20 |
policy/modules/system/udev.te | 2 +- |
| 21 |
policy/modules/system/userdomain.if | 76 +++++++++++++++++++++++++ |
| 22 |
policy/modules/system/userdomain.te | 2 +- |
| 23 |
11 files changed, 267 insertions(+), 20 deletions(-) |
| 24 |
|
| 25 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
| 26 |
index 28984607..c5af9342 100644 |
| 27 |
--- a/policy/modules/kernel/devices.if |
| 28 |
+++ b/policy/modules/kernel/devices.if |
| 29 |
@@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',` |
| 30 |
|
| 31 |
######################################## |
| 32 |
## <summary> |
| 33 |
+## manage the wireless device. |
| 34 |
+## </summary> |
| 35 |
+## <param name="domain"> |
| 36 |
+## <summary> |
| 37 |
+## Domain allowed access. |
| 38 |
+## </summary> |
| 39 |
+## </param> |
| 40 |
+# |
| 41 |
+interface(`dev_manage_wireless',` |
| 42 |
+ gen_require(` |
| 43 |
+ type device_t, wireless_device_t; |
| 44 |
+ ') |
| 45 |
+ |
| 46 |
+ manage_chr_files_pattern($1, device_t, wireless_device_t) |
| 47 |
+') |
| 48 |
+ |
| 49 |
+######################################## |
| 50 |
+## <summary> |
| 51 |
## Read and write Xen devices. |
| 52 |
## </summary> |
| 53 |
## <param name="domain"> |
| 54 |
|
| 55 |
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te |
| 56 |
index 571abc30..e15c26c3 100644 |
| 57 |
--- a/policy/modules/kernel/devices.te |
| 58 |
+++ b/policy/modules/kernel/devices.te |
| 59 |
@@ -1,4 +1,4 @@ |
| 60 |
-policy_module(devices, 1.20.4) |
| 61 |
+policy_module(devices, 1.20.5) |
| 62 |
|
| 63 |
######################################## |
| 64 |
# |
| 65 |
|
| 66 |
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
| 67 |
index 0affdae2..bba3e389 100644 |
| 68 |
--- a/policy/modules/kernel/filesystem.if |
| 69 |
+++ b/policy/modules/kernel/filesystem.if |
| 70 |
@@ -4271,6 +4271,24 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` |
| 71 |
|
| 72 |
######################################## |
| 73 |
## <summary> |
| 74 |
+## Relabel from tmpfs_t dir |
| 75 |
+## </summary> |
| 76 |
+## <param name="type"> |
| 77 |
+## <summary> |
| 78 |
+## Domain allowed access. |
| 79 |
+## </summary> |
| 80 |
+## </param> |
| 81 |
+# |
| 82 |
+interface(`fs_relabelfrom_tmpfs_dirs',` |
| 83 |
+ gen_require(` |
| 84 |
+ type tmpfs_t; |
| 85 |
+ ') |
| 86 |
+ |
| 87 |
+ allow $1 tmpfs_t:dir relabelfrom; |
| 88 |
+') |
| 89 |
+ |
| 90 |
+######################################## |
| 91 |
+## <summary> |
| 92 |
## Relabel directory on tmpfs filesystems. |
| 93 |
## </summary> |
| 94 |
## <param name="domain"> |
| 95 |
|
| 96 |
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te |
| 97 |
index 597bf615..3194b0e0 100644 |
| 98 |
--- a/policy/modules/kernel/filesystem.te |
| 99 |
+++ b/policy/modules/kernel/filesystem.te |
| 100 |
@@ -1,4 +1,4 @@ |
| 101 |
-policy_module(filesystem, 1.22.4) |
| 102 |
+policy_module(filesystem, 1.22.5) |
| 103 |
|
| 104 |
######################################## |
| 105 |
# |
| 106 |
|
| 107 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
| 108 |
index 7af0ab6a..060adbfa 100644 |
| 109 |
--- a/policy/modules/services/xserver.if |
| 110 |
+++ b/policy/modules/services/xserver.if |
| 111 |
@@ -1331,6 +1331,25 @@ interface(`xserver_kill',` |
| 112 |
|
| 113 |
######################################## |
| 114 |
## <summary> |
| 115 |
+## Allow reading xserver_t files to get cgroup and sessionid |
| 116 |
+## </summary> |
| 117 |
+## <param name="domain"> |
| 118 |
+## <summary> |
| 119 |
+## Domain allowed access. |
| 120 |
+## </summary> |
| 121 |
+## </param> |
| 122 |
+# |
| 123 |
+interface(`xserver_read_state',` |
| 124 |
+ gen_require(` |
| 125 |
+ type xserver_t; |
| 126 |
+ ') |
| 127 |
+ |
| 128 |
+ allow $1 xserver_t:dir search; |
| 129 |
+ allow $1 xserver_t:file read_file_perms; |
| 130 |
+') |
| 131 |
+ |
| 132 |
+######################################## |
| 133 |
+## <summary> |
| 134 |
## Read and write X server Sys V Shared |
| 135 |
## memory segments. |
| 136 |
## </summary> |
| 137 |
@@ -1427,6 +1446,25 @@ interface(`xserver_read_tmp_files',` |
| 138 |
|
| 139 |
######################################## |
| 140 |
## <summary> |
| 141 |
+## talk to xserver_t by dbus |
| 142 |
+## </summary> |
| 143 |
+## <param name="domain"> |
| 144 |
+## <summary> |
| 145 |
+## Domain allowed access. |
| 146 |
+## </summary> |
| 147 |
+## </param> |
| 148 |
+# |
| 149 |
+interface(`xserver_dbus_chat',` |
| 150 |
+ gen_require(` |
| 151 |
+ type xserver_t; |
| 152 |
+ ') |
| 153 |
+ |
| 154 |
+ allow $1 xserver_t:dbus send_msg; |
| 155 |
+ allow xserver_t $1:dbus send_msg; |
| 156 |
+') |
| 157 |
+ |
| 158 |
+######################################## |
| 159 |
+## <summary> |
| 160 |
## Interface to provide X object permissions on a given X server to |
| 161 |
## an X client domain. Gives the domain permission to read the |
| 162 |
## virtual core keyboard and virtual core pointer devices. |
| 163 |
|
| 164 |
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te |
| 165 |
index 513915c7..9bfbafcb 100644 |
| 166 |
--- a/policy/modules/services/xserver.te |
| 167 |
+++ b/policy/modules/services/xserver.te |
| 168 |
@@ -1,4 +1,4 @@ |
| 169 |
-policy_module(xserver, 3.13.3) |
| 170 |
+policy_module(xserver, 3.13.4) |
| 171 |
|
| 172 |
gen_require(` |
| 173 |
class x_drawable all_x_drawable_perms; |
| 174 |
|
| 175 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 176 |
index d9da70e9..f5af4ce4 100644 |
| 177 |
--- a/policy/modules/system/systemd.te |
| 178 |
+++ b/policy/modules/system/systemd.te |
| 179 |
@@ -1,4 +1,4 @@ |
| 180 |
-policy_module(systemd, 1.3.12) |
| 181 |
+policy_module(systemd, 1.3.13) |
| 182 |
|
| 183 |
######################################### |
| 184 |
# |
| 185 |
@@ -199,14 +199,22 @@ fs_register_binary_executable_type(systemd_binfmt_t) |
| 186 |
# Cgroups local policy |
| 187 |
# |
| 188 |
|
| 189 |
+allow systemd_cgroups_t self:capability net_admin; |
| 190 |
+ |
| 191 |
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) |
| 192 |
kernel_dgram_send(systemd_cgroups_t) |
| 193 |
+# for /proc/cmdline |
| 194 |
+kernel_read_system_state(systemd_cgroups_t) |
| 195 |
|
| 196 |
selinux_getattr_fs(systemd_cgroups_t) |
| 197 |
|
| 198 |
# write to /run/systemd/cgroups-agent |
| 199 |
init_dgram_send(systemd_cgroups_t) |
| 200 |
init_stream_connect(systemd_cgroups_t) |
| 201 |
+# for /proc/1/environ |
| 202 |
+init_read_state(systemd_cgroups_t) |
| 203 |
+ |
| 204 |
+seutil_libselinux_linked(systemd_cgroups_t) |
| 205 |
|
| 206 |
systemd_log_parse_environment(systemd_cgroups_t) |
| 207 |
|
| 208 |
@@ -255,6 +263,8 @@ seutil_search_default_contexts(systemd_coredump_t) |
| 209 |
|
| 210 |
kernel_read_kernel_sysctls(systemd_hostnamed_t) |
| 211 |
|
| 212 |
+dev_read_sysfs(systemd_hostnamed_t) |
| 213 |
+ |
| 214 |
files_read_etc_files(systemd_hostnamed_t) |
| 215 |
|
| 216 |
seutil_read_file_contexts(systemd_hostnamed_t) |
| 217 |
@@ -262,8 +272,12 @@ seutil_read_file_contexts(systemd_hostnamed_t) |
| 218 |
systemd_log_parse_environment(systemd_hostnamed_t) |
| 219 |
|
| 220 |
optional_policy(` |
| 221 |
- dbus_system_bus_client(systemd_hostnamed_t) |
| 222 |
dbus_connect_system_bus(systemd_hostnamed_t) |
| 223 |
+ dbus_system_bus_client(systemd_hostnamed_t) |
| 224 |
+') |
| 225 |
+ |
| 226 |
+optional_policy(` |
| 227 |
+ networkmanager_dbus_chat(systemd_hostnamed_t) |
| 228 |
') |
| 229 |
|
| 230 |
####################################### |
| 231 |
@@ -307,8 +321,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type) |
| 232 |
# Logind local policy |
| 233 |
# |
| 234 |
|
| 235 |
-allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; |
| 236 |
-allow systemd_logind_t self:process getcap; |
| 237 |
+allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config }; |
| 238 |
+allow systemd_logind_t self:process { getcap setfscreate }; |
| 239 |
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; |
| 240 |
allow systemd_logind_t self:unix_dgram_socket create_socket_perms; |
| 241 |
allow systemd_logind_t self:fifo_file rw_fifo_file_perms; |
| 242 |
@@ -318,51 +332,115 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) |
| 243 |
|
| 244 |
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) |
| 245 |
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) |
| 246 |
-files_search_pids(systemd_logind_t) |
| 247 |
+allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms; |
| 248 |
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit") |
| 249 |
|
| 250 |
-kernel_read_kernel_sysctls(systemd_logind_t) |
| 251 |
+allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms; |
| 252 |
+allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms; |
| 253 |
+allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms; |
| 254 |
|
| 255 |
-auth_manage_faillog(systemd_logind_t) |
| 256 |
+kernel_read_kernel_sysctls(systemd_logind_t) |
| 257 |
|
| 258 |
-dev_rw_sysfs(systemd_logind_t) |
| 259 |
-dev_rw_input_dev(systemd_logind_t) |
| 260 |
dev_getattr_dri_dev(systemd_logind_t) |
| 261 |
-dev_setattr_dri_dev(systemd_logind_t) |
| 262 |
+dev_getattr_kvm_dev(systemd_logind_t) |
| 263 |
dev_getattr_sound_dev(systemd_logind_t) |
| 264 |
+dev_manage_wireless(systemd_logind_t) |
| 265 |
+dev_read_urand(systemd_logind_t) |
| 266 |
+dev_rw_dri(systemd_logind_t) |
| 267 |
+dev_rw_input_dev(systemd_logind_t) |
| 268 |
+dev_rw_sysfs(systemd_logind_t) |
| 269 |
+dev_setattr_dri_dev(systemd_logind_t) |
| 270 |
+dev_setattr_kvm_dev(systemd_logind_t) |
| 271 |
dev_setattr_sound_dev(systemd_logind_t) |
| 272 |
|
| 273 |
+domain_obj_id_change_exemption(systemd_logind_t) |
| 274 |
+ |
| 275 |
files_read_etc_files(systemd_logind_t) |
| 276 |
+files_search_pids(systemd_logind_t) |
| 277 |
|
| 278 |
+fs_getattr_cgroup(systemd_logind_t) |
| 279 |
+fs_getattr_tmpfs(systemd_logind_t) |
| 280 |
+fs_getattr_tmpfs_dirs(systemd_logind_t) |
| 281 |
+fs_list_tmpfs(systemd_logind_t) |
| 282 |
+fs_mount_tmpfs(systemd_logind_t) |
| 283 |
+fs_read_cgroup_files(systemd_logind_t) |
| 284 |
fs_read_efivarfs_files(systemd_logind_t) |
| 285 |
+fs_relabelfrom_tmpfs_dirs(systemd_logind_t) |
| 286 |
+fs_unmount_tmpfs(systemd_logind_t) |
| 287 |
|
| 288 |
-fs_getattr_tmpfs(systemd_logind_t) |
| 289 |
+selinux_get_enforce_mode(systemd_logind_t) |
| 290 |
|
| 291 |
storage_getattr_removable_dev(systemd_logind_t) |
| 292 |
-storage_setattr_removable_dev(systemd_logind_t) |
| 293 |
storage_getattr_scsi_generic_dev(systemd_logind_t) |
| 294 |
+storage_setattr_removable_dev(systemd_logind_t) |
| 295 |
storage_setattr_scsi_generic_dev(systemd_logind_t) |
| 296 |
|
| 297 |
+term_setattr_unallocated_ttys(systemd_logind_t) |
| 298 |
term_use_unallocated_ttys(systemd_logind_t) |
| 299 |
|
| 300 |
+auth_manage_faillog(systemd_logind_t) |
| 301 |
+ |
| 302 |
+init_dbus_send_script(systemd_logind_t) |
| 303 |
init_get_all_units_status(systemd_logind_t) |
| 304 |
+init_get_system_status(systemd_logind_t) |
| 305 |
+init_service_start(systemd_logind_t) |
| 306 |
+init_service_status(systemd_logind_t) |
| 307 |
init_start_all_units(systemd_logind_t) |
| 308 |
init_stop_all_units(systemd_logind_t) |
| 309 |
-init_service_status(systemd_logind_t) |
| 310 |
-init_service_start(systemd_logind_t) |
| 311 |
+init_start_system(systemd_logind_t) |
| 312 |
+init_stop_system(systemd_logind_t) |
| 313 |
|
| 314 |
locallogin_read_state(systemd_logind_t) |
| 315 |
|
| 316 |
+seutil_libselinux_linked(systemd_logind_t) |
| 317 |
+seutil_read_default_contexts(systemd_logind_t) |
| 318 |
+seutil_read_file_contexts(systemd_logind_t) |
| 319 |
+ |
| 320 |
systemd_log_parse_environment(systemd_logind_t) |
| 321 |
systemd_start_power_units(systemd_logind_t) |
| 322 |
|
| 323 |
+udev_list_pids(systemd_logind_t) |
| 324 |
udev_read_db(systemd_logind_t) |
| 325 |
udev_read_pid_files(systemd_logind_t) |
| 326 |
|
| 327 |
+userdom_manage_user_runtime_dirs(systemd_logind_t) |
| 328 |
+userdom_manage_user_runtime_root_dirs(systemd_logind_t) |
| 329 |
+userdom_mounton_user_runtime_dirs(systemd_logind_t) |
| 330 |
+userdom_read_all_users_state(systemd_logind_t) |
| 331 |
+userdom_relabel_user_tmpfs_dirs(systemd_logind_t) |
| 332 |
+userdom_relabel_user_tmpfs_files(systemd_logind_t) |
| 333 |
+userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) |
| 334 |
+userdom_relabelto_user_runtime_dirs(systemd_logind_t) |
| 335 |
+userdom_setattr_user_ttys(systemd_logind_t) |
| 336 |
+userdom_delete_user_runtime_files(systemd_logind_t) |
| 337 |
userdom_use_user_ttys(systemd_logind_t) |
| 338 |
|
| 339 |
optional_policy(` |
| 340 |
- dbus_system_bus_client(systemd_logind_t) |
| 341 |
dbus_connect_system_bus(systemd_logind_t) |
| 342 |
+ dbus_system_bus_client(systemd_logind_t) |
| 343 |
+') |
| 344 |
+ |
| 345 |
+optional_policy(` |
| 346 |
+ devicekit_dbus_chat_power(systemd_logind_t) |
| 347 |
+') |
| 348 |
+ |
| 349 |
+optional_policy(` |
| 350 |
+ networkmanager_dbus_chat(systemd_logind_t) |
| 351 |
+') |
| 352 |
+ |
| 353 |
+optional_policy(` |
| 354 |
+ policykit_dbus_chat(systemd_logind_t) |
| 355 |
+') |
| 356 |
+ |
| 357 |
+optional_policy(` |
| 358 |
+ xserver_read_state(systemd_logind_t) |
| 359 |
+ xserver_dbus_chat(systemd_logind_t) |
| 360 |
+ xserver_dbus_chat_xdm(systemd_logind_t) |
| 361 |
+ xserver_read_xdm_state(systemd_logind_t) |
| 362 |
+') |
| 363 |
+ |
| 364 |
+optional_policy(` |
| 365 |
+ unconfined_dbus_send(systemd_logind_t) |
| 366 |
') |
| 367 |
|
| 368 |
######################################### |
| 369 |
|
| 370 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
| 371 |
index 847b65bf..bee6898b 100644 |
| 372 |
--- a/policy/modules/system/udev.if |
| 373 |
+++ b/policy/modules/system/udev.if |
| 374 |
@@ -354,6 +354,25 @@ interface(`udev_search_pids',` |
| 375 |
|
| 376 |
######################################## |
| 377 |
## <summary> |
| 378 |
+## list udev pid content |
| 379 |
+## </summary> |
| 380 |
+## <param name="domain"> |
| 381 |
+## <summary> |
| 382 |
+## Domain allowed access. |
| 383 |
+## </summary> |
| 384 |
+## </param> |
| 385 |
+# |
| 386 |
+interface(`udev_list_pids',` |
| 387 |
+ gen_require(` |
| 388 |
+ type udev_var_run_t; |
| 389 |
+ ') |
| 390 |
+ |
| 391 |
+ files_search_pids($1) |
| 392 |
+ allow $1 udev_var_run_t:dir list_dir_perms; |
| 393 |
+') |
| 394 |
+ |
| 395 |
+######################################## |
| 396 |
+## <summary> |
| 397 |
## Create, read, write, and delete |
| 398 |
## udev run directories |
| 399 |
## </summary> |
| 400 |
|
| 401 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
| 402 |
index 6db42d84..18b0e29c 100644 |
| 403 |
--- a/policy/modules/system/udev.te |
| 404 |
+++ b/policy/modules/system/udev.te |
| 405 |
@@ -1,4 +1,4 @@ |
| 406 |
-policy_module(udev, 1.21.4) |
| 407 |
+policy_module(udev, 1.21.5) |
| 408 |
|
| 409 |
######################################## |
| 410 |
# |
| 411 |
|
| 412 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
| 413 |
index 9c527285..61065118 100644 |
| 414 |
--- a/policy/modules/system/userdomain.if |
| 415 |
+++ b/policy/modules/system/userdomain.if |
| 416 |
@@ -2849,6 +2849,45 @@ interface(`userdom_tmp_filetrans_user_tmp',` |
| 417 |
|
| 418 |
######################################## |
| 419 |
## <summary> |
| 420 |
+## relabel to/from user tmpfs dirs |
| 421 |
+## </summary> |
| 422 |
+## <param name="domain"> |
| 423 |
+## <summary> |
| 424 |
+## Domain allowed access. |
| 425 |
+## </summary> |
| 426 |
+## </param> |
| 427 |
+# |
| 428 |
+interface(`userdom_relabel_user_tmpfs_dirs',` |
| 429 |
+ gen_require(` |
| 430 |
+ type user_tmpfs_t; |
| 431 |
+ ') |
| 432 |
+ |
| 433 |
+ allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom }; |
| 434 |
+ fs_search_tmpfs($1) |
| 435 |
+') |
| 436 |
+ |
| 437 |
+######################################## |
| 438 |
+## <summary> |
| 439 |
+## relabel to/from user tmpfs files |
| 440 |
+## </summary> |
| 441 |
+## <param name="domain"> |
| 442 |
+## <summary> |
| 443 |
+## Domain allowed access. |
| 444 |
+## </summary> |
| 445 |
+## </param> |
| 446 |
+# |
| 447 |
+interface(`userdom_relabel_user_tmpfs_files',` |
| 448 |
+ gen_require(` |
| 449 |
+ type user_tmpfs_t; |
| 450 |
+ ') |
| 451 |
+ |
| 452 |
+ allow $1 user_tmpfs_t:dir list_dir_perms; |
| 453 |
+ allow $1 user_tmpfs_t:file { relabelto relabelfrom }; |
| 454 |
+ fs_search_tmpfs($1) |
| 455 |
+') |
| 456 |
+ |
| 457 |
+######################################## |
| 458 |
+## <summary> |
| 459 |
## Search users runtime directories. |
| 460 |
## </summary> |
| 461 |
## <param name="domain"> |
| 462 |
@@ -2964,6 +3003,43 @@ interface(`userdom_relabelto_user_runtime_dirs',` |
| 463 |
|
| 464 |
######################################## |
| 465 |
## <summary> |
| 466 |
+## Relabel from user runtime directories. |
| 467 |
+## </summary> |
| 468 |
+## <param name="domain"> |
| 469 |
+## <summary> |
| 470 |
+## Domain allowed access. |
| 471 |
+## </summary> |
| 472 |
+## </param> |
| 473 |
+# |
| 474 |
+interface(`userdom_relabelfrom_user_runtime_dirs',` |
| 475 |
+ gen_require(` |
| 476 |
+ type user_runtime_t; |
| 477 |
+ ') |
| 478 |
+ |
| 479 |
+ allow $1 user_runtime_t:dir relabelfrom; |
| 480 |
+') |
| 481 |
+ |
| 482 |
+######################################## |
| 483 |
+## <summary> |
| 484 |
+## delete user runtime files |
| 485 |
+## </summary> |
| 486 |
+## <param name="domain"> |
| 487 |
+## <summary> |
| 488 |
+## Domain allowed access. |
| 489 |
+## </summary> |
| 490 |
+## </param> |
| 491 |
+# |
| 492 |
+interface(`userdom_delete_user_runtime_files',` |
| 493 |
+ gen_require(` |
| 494 |
+ type user_runtime_t; |
| 495 |
+ ') |
| 496 |
+ |
| 497 |
+ allow $1 user_runtime_t:dir list_dir_perms; |
| 498 |
+ allow $1 user_runtime_t:file unlink; |
| 499 |
+') |
| 500 |
+ |
| 501 |
+######################################## |
| 502 |
+## <summary> |
| 503 |
## Create objects in the pid directory |
| 504 |
## with an automatic type transition to |
| 505 |
## the user runtime root type. |
| 506 |
|
| 507 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te |
| 508 |
index 67f26632..cf58bd27 100644 |
| 509 |
--- a/policy/modules/system/userdomain.te |
| 510 |
+++ b/policy/modules/system/userdomain.te |
| 511 |
@@ -1,4 +1,4 @@ |
| 512 |
-policy_module(userdomain, 4.13.4) |
| 513 |
+policy_module(userdomain, 4.13.5) |
| 514 |
|
| 515 |
######################################## |
| 516 |
# |
Archives