Make an attribute for objects in /run/user/%{USERID}/*
Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar
Chris PeBenito
parent
5a4f511ff4
commit
9af24aeb9c
|
|
@ -2931,6 +2931,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
|
||||||
fs_search_tmpfs($1)
|
fs_search_tmpfs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make the specified type usable in
|
||||||
|
## the directory /run/user/%{USERID}/.
|
||||||
|
## </summary>
|
||||||
|
## <param name="type">
|
||||||
|
## <summary>
|
||||||
|
## Type to be used as a file in the
|
||||||
|
## user_runtime_content_dir_t.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_user_runtime_content',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 user_runtime_content_type;
|
||||||
|
files_type($1)
|
||||||
|
ubac_constrained($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search users runtime directories.
|
## Search users runtime directories.
|
||||||
|
|
@ -3098,7 +3120,139 @@ interface(`userdom_delete_user_runtime_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_runtime_t:dir list_dir_perms;
|
allow $1 user_runtime_t:dir list_dir_perms;
|
||||||
allow $1 user_runtime_t:file unlink;
|
allow $1 user_runtime_t:file delete_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search users runtime directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_search_all_user_runtime',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_runtime_content_type:dir search_dir_perms;
|
||||||
|
userdom_search_user_runtime_root($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List user runtime directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_list_all_user_runtime',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||||
|
userdom_search_user_runtime($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## delete user runtime directories
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_delete_all_user_runtime_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## delete user runtime files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_delete_all_user_runtime_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||||
|
allow $1 user_runtime_content_type:file delete_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## delete user runtime symlink files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_delete_all_user_runtime_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||||
|
allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## delete user runtime fifo files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_delete_all_user_runtime_named_pipes',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||||
|
allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## delete user runtime socket files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_delete_all_user_runtime_named_sockets',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_runtime_content_type:dir list_dir_perms;
|
||||||
|
allow $1 user_runtime_content_type:file delete_sock_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
||||||
|
|
@ -75,6 +75,9 @@ attribute unpriv_userdomain;
|
||||||
|
|
||||||
attribute user_home_content_type;
|
attribute user_home_content_type;
|
||||||
|
|
||||||
|
# dirs/files/etc created in /run/user/%{USERID}/
|
||||||
|
attribute user_runtime_content_type;
|
||||||
|
|
||||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
||||||
fs_associate_tmpfs(user_home_dir_t)
|
fs_associate_tmpfs(user_home_dir_t)
|
||||||
files_type(user_home_dir_t)
|
files_type(user_home_dir_t)
|
||||||
|
|
@ -128,3 +131,4 @@ files_poly(user_runtime_t)
|
||||||
files_poly_member(user_runtime_t)
|
files_poly_member(user_runtime_t)
|
||||||
files_poly_parent(user_runtime_t)
|
files_poly_parent(user_runtime_t)
|
||||||
ubac_constrained(user_runtime_t)
|
ubac_constrained(user_runtime_t)
|
||||||
|
userdom_user_runtime_content(user_runtime_t)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue