commit: e46ed57244089ec585dcce05d50ea3b708e55196 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Thu May 12 19:12:24 2016 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu May 26 15:33:31 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e46ed572
userdomain: user_tmp requires searching /run/user policy/modules/system/userdomain.if | 65 +++++++++++++++++++++++++++++-------- 1 file changed, 52 insertions(+), 13 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 9284808..0d6d9b1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -339,11 +339,14 @@ interface(`userdom_manage_tmp_role',` # interface(`userdom_exec_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') exec_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ####################################### @@ -2368,11 +2371,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` # interface(`userdom_write_user_tmp_sockets',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:sock_file write_sock_file_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2387,11 +2393,14 @@ interface(`userdom_write_user_tmp_sockets',` # interface(`userdom_list_user_tmp',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:dir list_dir_perms; + allow $1 user_runtime_dir_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2444,12 +2453,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') read_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2502,12 +2514,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',` # interface(`userdom_rw_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:dir list_dir_perms; rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2541,12 +2556,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',` # interface(`userdom_read_user_tmp_symlinks',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2562,11 +2580,14 @@ interface(`userdom_read_user_tmp_symlinks',` # interface(`userdom_manage_user_tmp_dirs',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_dirs_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2582,11 +2603,14 @@ interface(`userdom_manage_user_tmp_dirs',` # interface(`userdom_manage_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2602,11 +2626,14 @@ interface(`userdom_manage_user_tmp_files',` # interface(`userdom_manage_user_tmp_symlinks',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2622,11 +2649,14 @@ interface(`userdom_manage_user_tmp_symlinks',` # interface(`userdom_manage_user_tmp_pipes',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2642,11 +2672,14 @@ interface(`userdom_manage_user_tmp_pipes',` # interface(`userdom_manage_user_tmp_sockets',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2678,11 +2711,14 @@ interface(`userdom_manage_user_tmp_sockets',` # interface(`userdom_user_tmp_filetrans',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') filetrans_pattern($1, user_tmp_t, $2, $3, $4) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -3655,9 +3691,12 @@ interface(`userdom_manage_all_user_home_content',` # interface(`userdom_manage_user_tmp_chr_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ')