[selinux-policy: 2768/3172] Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_t

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:06:18 UTC 2010 

commit 1db1836ab9ad8e1dfce194b4563d524f65d4c4ce
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 6 13:17:05 2010 -0400

    Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role().

 policy/modules/apps/java.if         |    2 +-
 policy/modules/apps/java.te         |    2 +-
 policy/modules/apps/mono.if         |    4 ++--
 policy/modules/apps/mono.te         |    2 +-
 policy/modules/apps/pulseaudio.if   |    4 ----
 policy/modules/apps/pulseaudio.te   |    7 ++++++-
 policy/modules/apps/wine.if         |    2 +-
 policy/modules/apps/wine.te         |    2 +-
 policy/modules/apps/wm.if           |    4 ----
 policy/modules/apps/wm.te           |    2 +-
 policy/modules/services/likewise.te |    4 ++--
 policy/modules/system/userdomain.if |   20 ++++++++++++++++++++
 policy/modules/system/userdomain.te |    2 +-
 13 files changed, 37 insertions(+), 20 deletions(-)
---
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 8695c7e..fe12554 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -72,7 +72,7 @@ template(`java_role_template',`
 
 	domain_interactive_fd($1_java_t)
 
-	userdom_manage_tmpfs_role($2, $1_java_t)
+	userdom_manage_user_tmpfs_files($1_java_t)
 
 	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
 
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 6eedf5a..aa8ace6 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.3.0)
+policy_module(java, 2.3.1)
 
 ########################################
 #
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 7e83596..f694843 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -40,8 +40,6 @@ template(`mono_role_template',`
 	domain_interactive_fd($1_mono_t)
 	application_type($1_mono_t)
 
-	userdom_manage_tmpfs_role($2, $1_mono_t)
-
 	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
 
 	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
@@ -51,6 +49,8 @@ template(`mono_role_template',`
 	fs_dontaudit_rw_tmpfs_files($1_mono_t)
 	corecmd_bin_domtrans($1_mono_t, $1_t)
 
+	userdom_manage_user_tmpfs_files($1_mono_t)
+
 	optional_policy(`
 		xserver_role($1_r, $1_mono_t)
 	')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index a3eee89..c101631 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,4 +1,4 @@
-policy_module(mono, 1.7.0)
+policy_module(mono, 1.7.1)
 
 ########################################
 #
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index bb86a62..9ebb373 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -35,10 +35,6 @@ interface(`pulseaudio_role',`
 	allow pulseaudio_t $2:unix_stream_socket connectto;
 	allow $2 pulseaudio_t:unix_stream_socket connectto;
 
-	userdom_manage_home_role($1, pulseaudio_t)
-	userdom_manage_tmp_role($1, pulseaudio_t)
-	userdom_manage_tmpfs_role($1, pulseaudio_t)
-
 	allow $2 pulseaudio_t:dbus send_msg;
 	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
 ')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 7e3e3b2..778fb68 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.2.1)
+policy_module(pulseaudio, 1.2.2)
 
 ########################################
 #
@@ -90,6 +90,11 @@ logging_send_syslog_msg(pulseaudio_t)
 
 miscfiles_read_localization(pulseaudio_t)
 
+# cjp: this seems excessive. need to confirm
+userdom_manage_user_home_content_files(pulseaudio_t)
+userdom_manage_user_tmp_files(pulseaudio_t)
+userdom_manage_user_tmpfs_files(pulseaudio_t)
+
 optional_policy(`
 	bluetooth_stream_connect(pulseaudio_t)
 ')
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index bdc0762..6db15ad 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -101,7 +101,7 @@ template(`wine_role_template',`
 	corecmd_bin_domtrans($1_wine_t, $1_t)
 
 	userdom_unpriv_usertype($1, $1_wine_t)
-	userdom_manage_tmpfs_role($2, $1_wine_t)
+	userdom_manage_user_tmpfs_files($1_wine_t)
 
 	domain_mmap_low($1_wine_t)
 
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index a1e7b44..8af45db 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.7.0)
+policy_module(wine, 1.7.1)
 
 ########################################
 #
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index 369c3b5..82842a0 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -75,10 +75,6 @@ template(`wm_role_template',`
 	miscfiles_read_fonts($1_wm_t)
 	miscfiles_read_localization($1_wm_t)
 
-	userdom_manage_home_role($2, $1_wm_t)
-	userdom_manage_tmpfs_role($2, $1_wm_t)
-	userdom_manage_tmp_role($2, $1_wm_t)
-
 	optional_policy(`
 		dbus_system_bus_client($1_wm_t)
 		dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
index c1494a8..aeea34d 100644
--- a/policy/modules/apps/wm.te
+++ b/policy/modules/apps/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.0.1)
+policy_module(wm, 1.0.2)
 
 ########################################
 #
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 9efe95f..ae9d49f 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.0.0)
+policy_module(likewise, 1.0.1)
 
 #################################
 #
@@ -143,7 +143,7 @@ sysnet_use_ldap(lsassd_t)
 sysnet_read_config(lsassd_t)
 
 userdom_home_filetrans_user_home_dir(lsassd_t)
-userdom_manage_home_role(system_r, lsassd_t)
+userdom_manage_user_home_content_files(lsassd_t)
 
 optional_policy(`
 	kerberos_rw_keytab(lsassd_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 42d4e8d..c7c83c4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2458,6 +2458,26 @@ interface(`userdom_rw_user_tmpfs_files',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	allow $1 user_tmpfs_t:dir list_dir_perms;
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of a user domain tty.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 8567f3b..69b2e0f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.4.1)
+policy_module(userdomain, 4.4.2)
 
 ########################################
 #

More information about the scm-commits mailing list