[selinux-policy: 1189/3172] clean up userdom_create_user_home()
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:47:44 UTC 2010
commit 9417cb7ad14c4534d602139e51a70f77976de8b6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 3 16:13:15 2006 +0000
clean up userdom_create_user_home()
refpolicy/policy/modules/apps/irc.if | 2 +-
refpolicy/policy/modules/apps/java.if | 2 +-
refpolicy/policy/modules/services/cron.if | 2 +-
refpolicy/policy/modules/services/cron.te | 2 +-
refpolicy/policy/modules/services/ftp.if | 6 +--
refpolicy/policy/modules/services/ftp.te | 2 +-
refpolicy/policy/modules/services/mta.if | 19 +++----
refpolicy/policy/modules/services/mta.te | 2 +-
refpolicy/policy/modules/services/samba.if | 6 +--
refpolicy/policy/modules/services/spamassassin.if | 13 +++--
refpolicy/policy/modules/system/userdomain.if | 59 +++++++-------------
11 files changed, 43 insertions(+), 72 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
index 5ad0661..3d604ad 100644
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@@ -65,7 +65,7 @@ template(`irc_per_userdomain_template',`
allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
allow $1_irc_t $1_irc_home_t:file create_file_perms;
allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
- userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
+ userdom_filetrans_user_home_dir($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
# access files under /tmp
allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index b390cb4..e99d538 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -126,12 +126,12 @@ template(`java_per_userdomain_template',`
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t)
userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t)
- userdom_create_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file },$1_home_t)
userdom_manage_user_home_subdirs($1,$1_javaplugin_t)
userdom_manage_user_home_subdir_files($1,$1_javaplugin_t)
userdom_manage_user_home_subdir_symlinks($1,$1_javaplugin_t)
userdom_manage_user_home_subdir_pipes($1,$1_javaplugin_t)
userdom_manage_user_home_subdir_sockets($1,$1_javaplugin_t)
+ userdom_filetrans_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
# libdeploy.so legacy
tunable_policy(`allow_execmem',`
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 66caebb..fa0d30c 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -142,7 +142,7 @@ template(`cron_per_userdomain_template',`
userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
-# userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
+# userdom_filetrans_user_home($1,$1_crond_t,notdevfile_class_set)
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 743dae1..75a112d 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -159,7 +159,7 @@ ifdef(`targeted_policy',`
userdom_manage_user_home_subdir_symlinks(user,crond_t)
userdom_manage_user_home_subdir_pipes(user,crond_t)
userdom_manage_user_home_subdir_sockets(user,crond_t)
- userdom_create_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
+ userdom_filetrans_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
allow crond_t unconfined_t:dbus send_msg;
allow crond_t initrc_t:dbus send_msg;
diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if
index bf1c3dd..ccd4b4d 100644
--- a/refpolicy/policy/modules/services/ftp.if
+++ b/refpolicy/policy/modules/services/ftp.if
@@ -22,16 +22,12 @@
## </param>
#
template(`ftp_per_userdomain_template',`
- gen_require(`
- type ftpd_t;
- ')
-
tunable_policy(`ftpd_is_daemon',`
userdom_manage_user_home_subdir_files($1,ftpd_t)
userdom_manage_user_home_subdir_symlinks($1,ftpd_t)
userdom_manage_user_home_subdir_sockets($1,ftpd_t)
userdom_manage_user_home_subdir_pipes($1,ftpd_t)
- userdom_create_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ userdom_filetrans_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
')
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 7ffe9f6..a4bf5d9 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -142,7 +142,7 @@ ifdef(`targeted_policy',`
userdom_manage_user_home_subdir_symlinks(user,ftpd_t)
userdom_manage_user_home_subdir_sockets(user,ftpd_t)
userdom_manage_user_home_subdir_pipes(user,ftpd_t)
- userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ userdom_filetrans_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
')
')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 5e1384e..1b0eeaa 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -36,11 +36,6 @@ interface(`mta_stub',`
#
template(`mta_base_mail_template',`
- gen_require(`
- attribute user_mail_domain;
- type sendmail_exec_t;
- ')
-
##############################
#
# $1_mail_t declarations
@@ -175,11 +170,11 @@ template(`mta_base_mail_template',`
## </param>
#
template(`mta_per_userdomain_template',`
- gen_require(`
- attribute mailserver_domain, mta_user_agent;
- attribute mailserver_delivery, user_mail_domain;
- type sendmail_exec_t;
- ')
+
+ ##############################
+ #
+ # Declarations
+ #
mta_base_mail_template($1)
role $3 types $1_mail_t;
@@ -210,7 +205,7 @@ template(`mta_per_userdomain_template',`
userdom_use_user_terminals($1,mta_user_agent)
# Create dead.letter in user home directories.
userdom_manage_user_home_subdir_files($1,$1_mail_t)
- userdom_create_user_home($1,$1_mail_t,file)
+ userdom_filetrans_user_home($1,$1_mail_t,file)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
userdom_manage_user_home_subdirs($1,mailserver_delivery)
@@ -218,7 +213,7 @@ template(`mta_per_userdomain_template',`
userdom_manage_user_home_subdir_symlinks($1,mailserver_delivery)
userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
- userdom_create_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+ userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 9bc6a3f..64f5ed8 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -79,7 +79,7 @@ ifdef(`targeted_policy',`
userdom_manage_user_home_subdir_symlinks(user,mailserver_delivery)
userdom_manage_user_home_subdir_pipes(user,mailserver_delivery)
userdom_manage_user_home_subdir_sockets(user,mailserver_delivery)
- userdom_create_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+ userdom_filetrans_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
# cjp: another require-in-else to resolve
# optional_policy(`postfix',`',`
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index 34a7cad..be06290 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -26,16 +26,12 @@
## </param>
#
template(`samba_per_userdomain_template',`
- gen_require(`
- type smbd_t;
- ')
-
tunable_policy(`samba_enable_home_dirs',`
userdom_manage_user_home_subdir_files($1,smbd_t)
userdom_manage_user_home_subdir_symlinks($1,smbd_t)
userdom_manage_user_home_subdir_sockets($1,smbd_t)
userdom_manage_user_home_subdir_pipes($1,smbd_t)
- userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+ userdom_filetrans_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
')
')
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
index 1d7aca6..db5a792 100644
--- a/refpolicy/policy/modules/services/spamassassin.if
+++ b/refpolicy/policy/modules/services/spamassassin.if
@@ -28,10 +28,11 @@
# cjp: when tunables are available, spamc stuff should be
# toggled on activation of spamc, and similarly for spamd.
template(`spamassassin_per_userdomain_template',`
- gen_require(`
- type spamd_t, spamd_tmp_t;
- type spamc_exec_t, spamassassin_exec_t;
- ')
+
+ ##############################
+ #
+ # Declarations
+ #
type $1_spamc_t;
domain_type($1_spamc_t)
@@ -194,7 +195,7 @@ template(`spamassassin_per_userdomain_template',`
allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms;
allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms;
- userdom_create_user_home($1,$1_spamassassin_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t)
+ userdom_filetrans_user_home_dir($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms;
allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms;
@@ -215,7 +216,7 @@ template(`spamassassin_per_userdomain_template',`
allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms;
allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms;
- userdom_create_user_home($1,spamd_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t)
+ userdom_filetrans_user_home_dir($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls($1_spamassassin_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3212b7d..9e86216 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1569,12 +1569,15 @@ template(`userdom_manage_user_home_subdir_sockets',`
########################################
## <summary>
-##
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
## </summary>
## <desc>
## <p>
-## Create, read, write, and delete named sockets
-## in a user home subdirectory.
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
## </p>
## <p>
## This is a templated interface, and should only
@@ -1588,49 +1591,35 @@ template(`userdom_manage_user_home_subdir_sockets',`
## <param name="domain">
## Domain allowed access.
## </param>
-## <param name="object_class" optional="true">
+## <param name="private_type">
+## The type of the object to create.
+## </param>
+## <param name="object_class">
## The class of the object to be created. If not
## specified, file is used.
## </param>
-## <param name="private_type" optional="true">
-## The type of the object to create. If this is
-## not specified, the regular home directory
-## type is used.
-## </param>
#
-template(`userdom_create_user_home',`
+template(`userdom_filetrans_user_home_dir',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type $1_home_dir_t;
')
files_search_home($2)
-
allow $2 $1_home_dir_t:dir rw_dir_perms;
-
- ifelse(`$4',`',`
- ifelse(`$3',`',`
- type_transition $2 $1_home_dir_t:file $1_home_t;
- ',`
- type_transition $2 $1_home_dir_t:$3 $1_home_t;
- ')
- ',`
- ifelse(`$3',`',`
- type_transition $2 $1_home_dir_t:file $4;
- ',`
- type_transition $2 $1_home_dir_t:$3 $4;
- ')
- ')
+ type_transition $2 $1_home_dir_t:$4 $3;
')
########################################
## <summary>
-## Create objects in a user home directory with
-## a type transition to a specified type.
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
## </summary>
## <desc>
## <p>
-## Create objects in a user home directory with
-## a type transition to a specified type.
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
## </p>
## <p>
## This is a templated interface, and should only
@@ -1644,25 +1633,19 @@ template(`userdom_create_user_home',`
## <param name="domain">
## Domain allowed access.
## </param>
-## <param name="private_type">
-## The type of the object to create. If this is
-## not specified, the regular home directory
-## type is used.
-## </param>
## <param name="object_class">
## The class of the object to be created. If not
## specified, file is used.
## </param>
#
-template(`userdom_filetrans_user_home_dir',`
+template(`userdom_filetrans_user_home',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir rw_dir_perms;
-
- type_transition $2 $1_home_dir_t:$4 $3;
+ type_transition $2 $1_home_dir_t:$3 $1_home_t;
')
########################################
More information about the scm-commits
mailing list