[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

Jason Zaman Thu, 26 May 2016 08:55:04 -0700

commit:     e46ed57244089ec585dcce05d50ea3b708e55196
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 19:12:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 15:33:31 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e46ed572


userdomain: user_tmp requires searching /run/user

 policy/modules/system/userdomain.if | 65 +++++++++++++++++++++++++++++--------
 1 file changed, 52 insertions(+), 13 deletions(-)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 9284808..0d6d9b1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -339,11 +339,14 @@ interface(`userdom_manage_tmp_role',`
 #
 interface(`userdom_exec_user_tmp_files',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        exec_files_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 #######################################
@@ -2368,11 +2371,14 @@ 
interface(`userdom_user_home_dir_filetrans_user_home_content',`
 #
 interface(`userdom_write_user_tmp_sockets',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        allow $1 user_tmp_t:sock_file write_sock_file_perms;
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2387,11 +2393,14 @@ interface(`userdom_write_user_tmp_sockets',`
 #
 interface(`userdom_list_user_tmp',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        allow $1 user_tmp_t:dir list_dir_perms;
+       allow $1 user_runtime_dir_t:dir list_dir_perms;
        files_search_tmp($1)
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2444,12 +2453,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 #
 interface(`userdom_read_user_tmp_files',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        read_files_pattern($1, user_tmp_t, user_tmp_t)
        allow $1 user_tmp_t:dir list_dir_perms;
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2502,12 +2514,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
 #
 interface(`userdom_rw_user_tmp_files',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        allow $1 user_tmp_t:dir list_dir_perms;
        rw_files_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2541,12 +2556,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',`
 #
 interface(`userdom_read_user_tmp_symlinks',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
        allow $1 user_tmp_t:dir list_dir_perms;
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2562,11 +2580,14 @@ interface(`userdom_read_user_tmp_symlinks',`
 #
 interface(`userdom_manage_user_tmp_dirs',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2582,11 +2603,14 @@ interface(`userdom_manage_user_tmp_dirs',`
 #
 interface(`userdom_manage_user_tmp_files',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        manage_files_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2602,11 +2626,14 @@ interface(`userdom_manage_user_tmp_files',`
 #
 interface(`userdom_manage_user_tmp_symlinks',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2622,11 +2649,14 @@ interface(`userdom_manage_user_tmp_symlinks',`
 #
 interface(`userdom_manage_user_tmp_pipes',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2642,11 +2672,14 @@ interface(`userdom_manage_user_tmp_pipes',`
 #
 interface(`userdom_manage_user_tmp_sockets',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -2678,11 +2711,14 @@ interface(`userdom_manage_user_tmp_sockets',`
 #
 interface(`userdom_user_tmp_filetrans',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        filetrans_pattern($1, user_tmp_t, $2, $3, $4)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')
 
 ########################################
@@ -3655,9 +3691,12 @@ interface(`userdom_manage_all_user_home_content',`
 #
 interface(`userdom_manage_user_tmp_chr_files',`
        gen_require(`
-               type user_tmp_t;
+               type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
        ')
 
        manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
        files_search_tmp($1)
+       allow $1 user_runtime_dir_t:dir search_dir_perms;
+       allow $1 user_runtime_root_t:dir search_dir_perms;
+       files_search_pids($1)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

Reply via email to