[selinux-policy: 1093/3172] add cdrecord
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:39:18 UTC 2010
commit 4ec6941bfaaec14e9c4799a509b820a610ca3a79
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jan 12 23:23:22 2006 +0000
add cdrecord
refpolicy/Changelog | 1 +
refpolicy/policy/global_tunables | 5 +
refpolicy/policy/modules/apps/cdrecord.fc | 5 +
refpolicy/policy/modules/apps/cdrecord.if | 197 +++++++++
refpolicy/policy/modules/apps/cdrecord.te | 12 +
refpolicy/policy/modules/apps/java.if | 4 +-
refpolicy/policy/modules/kernel/files.if | 33 ++
refpolicy/policy/modules/kernel/filesystem.if | 98 +++++
refpolicy/policy/modules/system/userdomain.if | 569 ++++++++++++++++++++++++-
9 files changed, 912 insertions(+), 12 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 507d840..0b875c1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -11,6 +11,7 @@
- Added modules:
alsa
automount
+ cdrecord
ddcprobe
fetchmail
irc
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 30d0c27..287f9ea 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -159,6 +159,11 @@ gen_tunable(allow_ssh_keysign,false)
## Allow users to connect to mysql
gen_tunable(allow_user_mysql_connect,false)
+## Allow cdrecord to read various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+gen_tunable(cdrecord_read_content,false)
+
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
gen_tunable(cron_can_relabel,false)
diff --git a/refpolicy/policy/modules/apps/cdrecord.fc b/refpolicy/policy/modules/apps/cdrecord.fc
new file mode 100644
index 0000000..12deb68
--- /dev/null
+++ b/refpolicy/policy/modules/apps/cdrecord.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+
diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if
new file mode 100644
index 0000000..caadac5
--- /dev/null
+++ b/refpolicy/policy/modules/apps/cdrecord.if
@@ -0,0 +1,197 @@
+## <summary>Policy for cdrecord</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the cdrecord module.
+## </summary>
+## <desc>
+## <p>
+## This template creates derived domains which are used
+## for cdrecord.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`cdrecord_per_userdomain_template', `
+
+ gen_require(`
+ type cdrecord_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_cdrecord_t;
+ domain_type($1_cdrecord_t)
+ domain_entry_file($1_cdrecord_t,cdrecord_exec_t)
+ role $3 types $1_cdrecord_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+ allow $1_cdrecord_t self:process { getsched setsched sigkill };
+ allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
+ allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
+
+ # allow ps to show cdrecord and allow the user to kill it
+ allow $2 $1_cdrecord_t:dir { search getattr read };
+ allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
+ allow $2 $1_cdrecord_t:process getattr;
+ #We need to suppress this denial because procps
+ #tries to access /proc/pid/environ and this now
+ #triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps
+ #to not do this, or only if running in a privileged domain.
+ dontaudit $2 $1_cdrecord_t:process ptrace;
+ allow $2 $1_cdrecord_t:process signal;
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
+ allow $2 $1_cdrecord_t:fd use;
+ allow $1_cdrecord_t $2:fd use;
+ allow $1_cdrecord_t $2:fifo_file rw_file_perms;
+ allow $1_cdrecord_t $2:process sigchld;
+
+ # allow searching for cdrom-drive
+ dev_list_all_dev_nodes($1_cdrecord_t)
+
+ domain_wide_inherit_fd($1_cdrecord_t)
+ domain_use_wide_inherit_fd($1_cdrecord_t)
+
+ files_read_etc_files($1_cdrecord_t)
+
+ term_use_controlling_term($1_cdrecord_t)
+ term_list_ptys($1_cdrecord_t)
+
+ # allow cdrecord to write the CD
+ storage_raw_write_removable_device($1_cdrecord_t)
+ storage_write_scsi_generic($1_cdrecord_t)
+
+ libs_use_ld_so($1_cdrecord_t)
+ libs_use_shared_libs($1_cdrecord_t)
+
+ logging_send_syslog_msg($1_cdrecord_t)
+
+ miscfiles_read_localization($1_cdrecord_t)
+
+ # write to the user domain tty.
+ userdom_use_user_terminals($1,$1_cdrecord_t)
+ userdom_use_user_terminals($1,$2)
+
+ userdom_read_user_home_files($1,$1_cdrecord_t)
+
+ # Handle nfs home dirs
+ tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints($1_cdrecord_t)
+ files_list_home($1_cdrecord_t)
+ fs_read_nfs_files($1_cdrecord_t)
+ fs_read_nfs_symlinks($1_cdrecord_t)
+
+ ',`
+ files_dontaudit_list_home($1_cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
+ fs_dontaudit_read_nfs_files($1_cdrecord_t)
+ fs_dontaudit_list_nfs($1_cdrecord_t)
+ ')
+ # Handle samba home dirs
+ tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints($1_cdrecord_t)
+ files_list_home($1_cdrecord_t)
+ fs_read_cifs_files($1_cdrecord_t)
+ fs_read_cifs_symlinks($1_cdrecord_t)
+ ',`
+ files_dontaudit_list_home($1_cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
+ fs_dontaudit_read_cifs_files($1_cdrecord_t)
+ fs_dontaudit_list_cifs($1_cdrecord_t)
+ ')
+
+ # Handle removable media, /tmp, and /home
+ tunable_policy(`cdrecord_read_content',`
+ userdom_list_user_tmp($1,$1_cdrecord_t)
+ userdom_read_user_tmp_files($1,$1_cdrecord_t)
+ userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)
+ userdom_search_user_home($1,$1_cdrecord_t)
+ userdom_read_user_home_files($1,$1_cdrecord_t)
+ userdom_read_user_home_symlinks($1,$1_cdrecord_t)
+
+ ifdef(`enable_mls',`
+ ',`
+ fs_search_removable_dirs($1_cdrecord_t)
+ fs_read_removable_files($1_cdrecord_t)
+ fs_read_removable_symlinks($1_cdrecord_t)
+ ')
+ ',`
+ files_dontaudit_list_tmp($1_cdrecord_t)
+ files_dontaudit_list_home($1_cdrecord_t)
+ fs_dontaudit_list_removable_dirs($1_cdrecord_t)
+ fs_donaudit_read_removable_files($1_cdrecord_t)
+ userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
+ userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_home_files($1,$1_cdrecord_t)
+ ')
+
+ # Handle default_t content
+ tunable_policy(`cdrecord_read_content && read_default_t',`
+ files_list_default($1_cdrecord_t)
+ files_read_default_files($1_cdrecord_t)
+ files_read_default_symlinks($1_cdrecord_t)
+ ',`
+ files_dontaudit_read_default_files($1_cdrecord_t)
+ files_dontaudit_list_default($1_cdrecord_t)
+ ')
+
+ # Handle untrusted content
+ tunable_policy(`cdrecord_read_content && read_untrusted_content',`
+ files_list_tmp($1_cdrecord_t)
+ files_list_home($1_cdrecord_t)
+ userdom_search_user_home($1,$1_cdrecord_t)
+
+ userdom_list_user_untrusted_content($1,$1_cdrecord_t)
+ userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)
+ userdom_read_user_untrusted_content_symlinks($1,$1_cdrecord_t)
+ userdom_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
+ userdom_read_user_tmp_untrusted_content_symlinks($1,$1_cdrecord_t)
+ ',`
+ files_dontaudit_list_tmp($1_cdrecord_t)
+ files_dontaudit_list_home($1_cdrecord_t)
+ userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t)
+ userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)
+ userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt($1_cdrecord_t)
+ fs_read_nfs_files($1_cdrecord_t)
+ fs_read_nfs_symlinks($1_cdrecord_t)
+ ')
+
+ ifdef(`TODO',`
+ can_resmgrd_connect($1_cdrecord_t)
+ ')
+')
diff --git a/refpolicy/policy/modules/apps/cdrecord.te b/refpolicy/policy/modules/apps/cdrecord.te
new file mode 100644
index 0000000..5e410f7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/cdrecord.te
@@ -0,0 +1,12 @@
+
+policy_module(cdrecord,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cdrecord_t;
+type cdrecord_exec_t;
+domain_entry_file(cdrecord_t, cdrecord_exec_t)
+
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index 147f670..7e146c7 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -124,8 +124,8 @@ template(`java_per_userdomain_template',`
sysnet_read_config($1_javaplugin_t)
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
- userdom_dontauit_setattr_user_home_files($1,$1_javaplugin_t)
- userdom_dontauit_exec_user_home_files($1,$1_javaplugin_t)
+ userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t)
+ userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t)
userdom_create_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file },$1_home_t)
userdom_manage_user_home_subdirs($1,$1_javaplugin_t)
userdom_manage_user_home_subdir_files($1,$1_javaplugin_t)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index f0ef6a4..30720ec 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -1813,6 +1813,23 @@ interface(`files_dontaudit_search_home',`
########################################
## <summary>
+## Do not audit attempts to list
+## home directories root (/home).
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Get listing of home directories.
## </summary>
## <param name="domain">
@@ -2144,6 +2161,22 @@ interface(`files_list_tmp',`
########################################
## <summary>
+## Do not audit listing of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## Domain not to audit.
+## </param>
+#
+interface(`files_dontaudit_list_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:dir { read getattr search };
+')
+
+########################################
+## <summary>
## Read files in the tmp directory (/tmp).
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 8cbf09e..8e71d3c 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -379,6 +379,23 @@ interface(`fs_list_auto_mountpoints',`
########################################
## <summary>
+## Do not audit attempts to list directories of automatically
+## mounted filesystems.
+## </summary>
+## <param name="domain">
+## The type of the domain performing this action.
+## </param>
+#
+interface(`fs_dontaudit_list_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ dontaudit $1 autofs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
## support. A common use for this is to
@@ -1271,6 +1288,87 @@ interface(`fs_search_rpc_dirs',`
########################################
## <summary>
+## Search removable storage directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_search_removable_dirs',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:dir { getattr read search };
+
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list removable storage directories.
+## </summary>
+## <param name="domain">
+## Domain not to audit.
+## </param>
+#
+interface(`fs_dontaudit_list_removable_dirs',`
+ gen_require(`
+ type removable_t;
+ ')
+ dontaudit $1 removable_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read removable storage files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_read_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:file { read getattr };
+
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read removable storage files.
+## </summary>
+## <param name="domain">
+## Domain not to audit.
+## </param>
+#
+interface(`fs_donaudit_read_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+ dontaudit $1 removable_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read removable storage symbolic links.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_read_removable_symlinks',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:lnk_file { getattr read };
+
+')
+
+########################################
+## <summary>
## Read directories of RPC file system pipes.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index ceab981..321b9ca 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1126,12 +1126,41 @@ template(`userdom_user_home_domtrans',`
########################################
## <summary>
-## Create, read, write, and delete symbolic links
+## Do not audit attempts to list user home subdirectories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to list user home subdirectories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain to not audit
+## </param>
+#
+template(`userdom_dontaudit_list_user_home_dir',`
+ gen_require(`
+ type $1_home_dir_t;
+ ')
+
+ dontaudit $2 $1_home_dir_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
## in a user home subdirectory.
## </summary>
## <desc>
## <p>
-## Create, read, write, and delete symbolic links
+## Create, read, write, and delete directories
## in a user home subdirectory.
## </p>
## <p>
@@ -1180,7 +1209,7 @@ template(`userdom_manage_user_home_subdirs',`
## Domain allowed access.
## </param>
#
-template(`userdom_dontauit_setattr_user_home_files',`
+template(`userdom_dontaudit_setattr_user_home_files',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
@@ -1216,17 +1245,17 @@ template(`userdom_read_user_home_files',`
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir search;
+ allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:file r_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to execute user home files.
+## Do not audit attempts to read user home files.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to execute user home files.
+## Do not audit attempts to read user home files.
## </p>
## <p>
## This is a templated interface, and should only
@@ -1238,15 +1267,48 @@ template(`userdom_read_user_home_files',`
## is the prefix for user_t).
## </param>
## <param name="domain">
-## Domain allowed access.
+## Domain to not audit.
## </param>
#
-template(`userdom_dontauit_exec_user_home_files',`
+template(`userdom_dontaudit_read_user_home_files',`
gen_require(`
type $1_home_t;
')
- dontaudit $2 $1_home_t:file execute;
+ dontaudit $2 $1_home_t:dir r_dir_perms;
+ dontaudit $2 $1_home_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read user home subdirectory symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user home subdirectory symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_read_user_home_symlinks',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir search;
+ allow $2 $1_home_t:lnk_file r_file_perms;
')
########################################
@@ -1283,6 +1345,35 @@ template(`userdom_exec_user_home_files',`
########################################
## <summary>
+## Do not audit attempts to execute user home files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to execute user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_dontaudit_exec_user_home_files',`
+ gen_require(`
+ type $1_home_t;
+ ')
+
+ dontaudit $2 $1_home_t:file execute;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
@@ -1504,6 +1595,162 @@ template(`userdom_write_user_tmp_sockets',`
########################################
## <summary>
+## List user temporary directories.
+## </summary>
+## <desc>
+## <p>
+## List user temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_list_user_tmp',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user
+## temporary directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to list user
+## temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+template(`userdom_dontaudit_list_user_tmp',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary files.
+## </summary>
+## <desc>
+## <p>
+## Read user temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_read_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read users
+## temporary files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read users
+## temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+template(`userdom_dontaudit_read_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read user
+## temporary symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user
+## temporary symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_read_user_tmp_symlinks',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete user
## temporary directories.
## </summary>
@@ -1668,6 +1915,308 @@ template(`userdom_manage_user_tmp_sockets',`
########################################
## <summary>
+## List users untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## List users untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_list_user_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_untrusted_content_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user
+## untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read user
+## untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+template(`userdom_dontaudit_list_user_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read user untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Read user untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_read_user_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_untrusted_content_t:dir rw_dir_perms;
+ allow $2 $1_untrusted_content_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read users
+## untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read users
+## untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+template(`userdom_dontaudit_read_user_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read user untrusted symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user untrusted symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_read_user_untrusted_content_symlinks',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_untrusted_content_t:dir rw_dir_perms;
+ allow $2 $1_untrusted_content_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## List users temporary untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## List users temporary untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_list_user_tmp_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user
+## temporary untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to list user
+## temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Read user temporary untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_read_user_tmp_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms;
+ allow $2 $1_untrusted_content_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read users
+## temporary untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read users
+## temporary untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary untrusted symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user temporary untrusted symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_read_user_tmp_untrusted_content_symlinks',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms;
+ allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
## Read and write a user domain tty and pty.
## </summary>
## <desc>
@@ -1834,7 +2383,7 @@ interface(`userdom_shell_domtrans_sysadm',`
## Search the staff users home directory.
## </summary>
## <param name="domain">
-## Domain to not audit.
+## Domain allowed access.
## </param>
#
interface(`userdom_search_staff_home_dir',`
More information about the scm-commits
mailing list