Make an attribute for objects in /run/user/%{USERID}/*
Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar
Chris PeBenito
parent
5a4f511ff4
commit
9af24aeb9c
|
|
@ -2931,6 +2931,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
|
|||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type usable in
|
||||
## the directory /run/user/%{USERID}/.
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type to be used as a file in the
|
||||
## user_runtime_content_dir_t.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_user_runtime_content',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
typeattribute $1 user_runtime_content_type;
|
||||
files_type($1)
|
||||
ubac_constrained($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search users runtime directories.
|
||||
|
|
@ -3098,7 +3120,139 @@ interface(`userdom_delete_user_runtime_files',`
|
|||
')
|
||||
|
||||
allow $1 user_runtime_t:dir list_dir_perms;
|
||||
allow $1 user_runtime_t:file unlink;
|
||||
allow $1 user_runtime_t:file delete_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search users runtime directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_search_all_user_runtime',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_content_type:dir search_dir_perms;
|
||||
userdom_search_user_runtime_root($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List user runtime directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_list_all_user_runtime',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||
userdom_search_user_runtime($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## delete user runtime directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_delete_all_user_runtime_dirs',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## delete user runtime files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_delete_all_user_runtime_files',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||
allow $1 user_runtime_content_type:file delete_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## delete user runtime symlink files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_delete_all_user_runtime_symlinks',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||
allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## delete user runtime fifo files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_delete_all_user_runtime_named_pipes',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||
allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## delete user runtime socket files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_delete_all_user_runtime_named_sockets',`
|
||||
gen_require(`
|
||||
attribute user_runtime_content_type;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||
allow $1 user_runtime_content_type:file delete_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -75,6 +75,9 @@ attribute unpriv_userdomain;
|
|||
|
||||
attribute user_home_content_type;
|
||||
|
||||
# dirs/files/etc created in /run/user/%{USERID}/
|
||||
attribute user_runtime_content_type;
|
||||
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
||||
fs_associate_tmpfs(user_home_dir_t)
|
||||
files_type(user_home_dir_t)
|
||||
|
|
@ -128,3 +131,4 @@ files_poly(user_runtime_t)
|
|||
files_poly_member(user_runtime_t)
|
||||
files_poly_parent(user_runtime_t)
|
||||
ubac_constrained(user_runtime_t)
|
||||
userdom_user_runtime_content(user_runtime_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue