Create a attribute user_home_content_type and assign it to all types that are classified userdom_user_home_content()

Create various interfaces using the user_home_content_type attribute for tmpreaper user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type (why?) We should probably also create user_tmp_content_type and user_tmpfs_content_type attributes and assign to userdom_tmp_file and userdom_tmpfs_file respectively Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-11-05 12:55:13 +01:00 · 2012-11-05 12:55:13 +01:00 · 9706f6a477
commit 9706f6a477
parent c48458f8e2
2 changed files with 103 additions and 0 deletions
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1350,9 +1350,12 @@ interface(`userdom_user_application_domain',`
 #
 interface(`userdom_user_home_content',`
 	gen_require(`
+		attribute user_home_content_type;
 		type user_home_t;
 	')

+	typeattribute $1 user_home_content_type;
+
 	allow $1 user_home_t:filesystem associate;
 	files_type($1)
 	files_poly_member($1)
@ -1702,6 +1705,25 @@ interface(`userdom_dontaudit_search_user_home_content',`
 	dontaudit $1 user_home_t:dir search_dir_perms;
 ')

+########################################
+## <summary>
+##	List all users home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List contents of users home directory.
@ -1740,6 +1762,26 @@ interface(`userdom_manage_user_home_content_dirs',`
 	files_search_home($1)
 ')

+########################################
+## <summary>
+##	Delete all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete directories in a user home subdirectory.
@ -1758,6 +1800,25 @@ interface(`userdom_delete_user_home_content_dirs',`
 	allow $1 user_home_t:dir delete_dir_perms;
 ')

+########################################
+## <summary>
+##	Set attributes of all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_setattr_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir setattr_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the
@ -1870,6 +1931,26 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 	dontaudit $1 user_home_t:file write_file_perms;
 ')

+########################################
+## <summary>
+##	Delete all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_content($1)
+	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete files in a user home subdirectory.
@ -2032,6 +2113,26 @@ interface(`userdom_manage_user_home_content_symlinks',`
 	files_search_home($1)
 ')

+########################################
+## <summary>
+##	Delete all user home content symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_symlinks',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete symbolic links in a user home directory.
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -59,6 +59,8 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;

+attribute user_home_content_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)