[selinux-policy: 1189/3172] clean up userdom_create_user_home()

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:47:44 UTC 2010 

commit 9417cb7ad14c4534d602139e51a70f77976de8b6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 3 16:13:15 2006 +0000

    clean up userdom_create_user_home()

 refpolicy/policy/modules/apps/irc.if              |    2 +-
 refpolicy/policy/modules/apps/java.if             |    2 +-
 refpolicy/policy/modules/services/cron.if         |    2 +-
 refpolicy/policy/modules/services/cron.te         |    2 +-
 refpolicy/policy/modules/services/ftp.if          |    6 +--
 refpolicy/policy/modules/services/ftp.te          |    2 +-
 refpolicy/policy/modules/services/mta.if          |   19 +++----
 refpolicy/policy/modules/services/mta.te          |    2 +-
 refpolicy/policy/modules/services/samba.if        |    6 +--
 refpolicy/policy/modules/services/spamassassin.if |   13 +++--
 refpolicy/policy/modules/system/userdomain.if     |   59 +++++++-------------
 11 files changed, 43 insertions(+), 72 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
index 5ad0661..3d604ad 100644
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@@ -65,7 +65,7 @@ template(`irc_per_userdomain_template',`
 	allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
 	allow $1_irc_t $1_irc_home_t:file create_file_perms;
 	allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
-	userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
+	userdom_filetrans_user_home_dir($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
 
 	# access files under /tmp
 	allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index b390cb4..e99d538 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -126,12 +126,12 @@ template(`java_per_userdomain_template',`
 	userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
 	userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t)
 	userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t)
-	userdom_create_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file },$1_home_t)
 	userdom_manage_user_home_subdirs($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_files($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_symlinks($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_pipes($1,$1_javaplugin_t)
 	userdom_manage_user_home_subdir_sockets($1,$1_javaplugin_t)
+	userdom_filetrans_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
 
 	# libdeploy.so legacy
 	tunable_policy(`allow_execmem',`
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 66caebb..fa0d30c 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -142,7 +142,7 @@ template(`cron_per_userdomain_template',`
 	userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
 	userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
 	userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
-#	userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
+#	userdom_filetrans_user_home($1,$1_crond_t,notdevfile_class_set)
 
 	tunable_policy(`fcron_crond', `
 		allow crond_t $1_cron_spool_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 743dae1..75a112d 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -159,7 +159,7 @@ ifdef(`targeted_policy',`
 	userdom_manage_user_home_subdir_symlinks(user,crond_t)
 	userdom_manage_user_home_subdir_pipes(user,crond_t)
 	userdom_manage_user_home_subdir_sockets(user,crond_t)
-	userdom_create_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
+	userdom_filetrans_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
 
 	allow crond_t unconfined_t:dbus send_msg;
 	allow crond_t initrc_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if
index bf1c3dd..ccd4b4d 100644
--- a/refpolicy/policy/modules/services/ftp.if
+++ b/refpolicy/policy/modules/services/ftp.if
@@ -22,16 +22,12 @@
 ## </param>
 #
 template(`ftp_per_userdomain_template',`
-	gen_require(`
-		type ftpd_t;
-	')
-
 	tunable_policy(`ftpd_is_daemon',`
 		userdom_manage_user_home_subdir_files($1,ftpd_t)
 		userdom_manage_user_home_subdir_symlinks($1,ftpd_t)
 		userdom_manage_user_home_subdir_sockets($1,ftpd_t)
 		userdom_manage_user_home_subdir_pipes($1,ftpd_t)
-		userdom_create_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+		userdom_filetrans_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
 	')
 ')
 
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 7ffe9f6..a4bf5d9 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -142,7 +142,7 @@ ifdef(`targeted_policy',`
 			userdom_manage_user_home_subdir_symlinks(user,ftpd_t)
 			userdom_manage_user_home_subdir_sockets(user,ftpd_t)
 			userdom_manage_user_home_subdir_pipes(user,ftpd_t)
-			userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+			userdom_filetrans_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
 		')
 	')
 ')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 5e1384e..1b0eeaa 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -36,11 +36,6 @@ interface(`mta_stub',`
 #
 template(`mta_base_mail_template',`
 
-	gen_require(`
-		attribute user_mail_domain;
-		type sendmail_exec_t;
-	')
-
 	##############################
 	#
 	# $1_mail_t declarations
@@ -175,11 +170,11 @@ template(`mta_base_mail_template',`
 ## </param>
 #
 template(`mta_per_userdomain_template',`
-	gen_require(`
-		attribute mailserver_domain, mta_user_agent;
-		attribute mailserver_delivery, user_mail_domain;
-		type sendmail_exec_t;
-	')
+
+	##############################
+	#
+	# Declarations
+	#
 
 	mta_base_mail_template($1)
 	role $3 types $1_mail_t;
@@ -210,7 +205,7 @@ template(`mta_per_userdomain_template',`
 	userdom_use_user_terminals($1,mta_user_agent)
 	# Create dead.letter in user home directories.
 	userdom_manage_user_home_subdir_files($1,$1_mail_t)
-	userdom_create_user_home($1,$1_mail_t,file)
+	userdom_filetrans_user_home($1,$1_mail_t,file)
 	# for reading .forward - maybe we need a new type for it?
 	# also for delivering mail to maildir
 	userdom_manage_user_home_subdirs($1,mailserver_delivery)
@@ -218,7 +213,7 @@ template(`mta_per_userdomain_template',`
 	userdom_manage_user_home_subdir_symlinks($1,mailserver_delivery)
 	userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
 	userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
-	userdom_create_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+	userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
 
 	tunable_policy(`use_samba_home_dirs',`
 		fs_manage_cifs_files($1_mail_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 9bc6a3f..64f5ed8 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -79,7 +79,7 @@ ifdef(`targeted_policy',`
 	userdom_manage_user_home_subdir_symlinks(user,mailserver_delivery)
 	userdom_manage_user_home_subdir_pipes(user,mailserver_delivery)
 	userdom_manage_user_home_subdir_sockets(user,mailserver_delivery)
-	userdom_create_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+	userdom_filetrans_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
 
 # cjp: another require-in-else to resolve
 #	optional_policy(`postfix',`',`
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index 34a7cad..be06290 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -26,16 +26,12 @@
 ## </param>
 #
 template(`samba_per_userdomain_template',`
-	gen_require(`
-		type smbd_t;
-	')
-
 	tunable_policy(`samba_enable_home_dirs',`
 		userdom_manage_user_home_subdir_files($1,smbd_t)
 		userdom_manage_user_home_subdir_symlinks($1,smbd_t)
 		userdom_manage_user_home_subdir_sockets($1,smbd_t)
 		userdom_manage_user_home_subdir_pipes($1,smbd_t)
-		userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+		userdom_filetrans_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
 	')
 ')
 
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
index 1d7aca6..db5a792 100644
--- a/refpolicy/policy/modules/services/spamassassin.if
+++ b/refpolicy/policy/modules/services/spamassassin.if
@@ -28,10 +28,11 @@
 # cjp: when tunables are available, spamc stuff should be
 # toggled on activation of spamc, and similarly for spamd.
 template(`spamassassin_per_userdomain_template',`
-	gen_require(`
-		type spamd_t, spamd_tmp_t;
-		type spamc_exec_t, spamassassin_exec_t;
-	')
+
+	##############################
+	#
+	# Declarations
+	#
 
 	type $1_spamc_t;
 	domain_type($1_spamc_t)
@@ -194,7 +195,7 @@ template(`spamassassin_per_userdomain_template',`
 	allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
 	allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms;
 	allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms;
-	userdom_create_user_home($1,$1_spamassassin_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t)
+	userdom_filetrans_user_home_dir($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
 
 	allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms;
 	allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms;
@@ -215,7 +216,7 @@ template(`spamassassin_per_userdomain_template',`
 	allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
 	allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms;
 	allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms;
-	userdom_create_user_home($1,spamd_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t)
+	userdom_filetrans_user_home_dir($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
 
 	kernel_read_kernel_sysctls($1_spamassassin_t)
 
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3212b7d..9e86216 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1569,12 +1569,15 @@ template(`userdom_manage_user_home_subdir_sockets',`
 
 ########################################
 ## <summary>
-##	
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Create, read, write, and delete named sockets
-##	in a user home subdirectory.
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
 ##	</p>
 ##	<p>
 ##	This is a templated interface, and should only
@@ -1588,49 +1591,35 @@ template(`userdom_manage_user_home_subdir_sockets',`
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
-## <param name="object_class" optional="true">
+## <param name="private_type">
+##	The type of the object to create.
+## </param>
+## <param name="object_class">
 ##	The class of the object to be created.  If not
 ##	specified, file is used.
 ## </param>
-## <param name="private_type" optional="true">
-##	The type of the object to create.  If this is
-##	not specified, the regular home directory
-##	type is used.
-## </param>
 #
-template(`userdom_create_user_home',`
+template(`userdom_filetrans_user_home_dir',`
 	gen_require(`
-		type $1_home_dir_t, $1_home_t;
+		type $1_home_dir_t;
 	')
 
 	files_search_home($2)
-
 	allow $2 $1_home_dir_t:dir rw_dir_perms;
-
-	ifelse(`$4',`',`
-		ifelse(`$3',`',`
-			type_transition $2 $1_home_dir_t:file $1_home_t;
-		',`
-			type_transition $2 $1_home_dir_t:$3 $1_home_t;
-		')
-	',`
-		ifelse(`$3',`',`
-			type_transition $2 $1_home_dir_t:file $4;
-		',`
-			type_transition $2 $1_home_dir_t:$3 $4;
-		')
-	')
+	type_transition $2 $1_home_dir_t:$4 $3;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in a user home directory with
-##	a type transition to a specified type.
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the user home file type.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Create objects in a user home directory with
-##	a type transition to a specified type.
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the user home file type.
 ##	</p>
 ##	<p>
 ##	This is a templated interface, and should only
@@ -1644,25 +1633,19 @@ template(`userdom_create_user_home',`
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
-## <param name="private_type">
-##	The type of the object to create.  If this is
-##	not specified, the regular home directory
-##	type is used.
-## </param>
 ## <param name="object_class">
 ##	The class of the object to be created.  If not
 ##	specified, file is used.
 ## </param>
 #
-template(`userdom_filetrans_user_home_dir',`
+template(`userdom_filetrans_user_home',`
 	gen_require(`
 		type $1_home_dir_t, $1_home_t;
 	')
 
 	files_search_home($2)
 	allow $2 $1_home_dir_t:dir rw_dir_perms;
-
-	type_transition $2 $1_home_dir_t:$4 $3;
+	type_transition $2 $1_home_dir_t:$3 $1_home_t;
 ')
 
 ########################################

More information about the scm-commits mailing list