[selinux-policy/f15/master] Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Apr 7 17:55:21 UTC 2011
commit b5f0af94c6c773793a0de93d065d504c7eb032f2
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Apr 7 19:55:59 2011 +0000
Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
policy-F15.patch | 88 ++++++++++++++++++++++++++++++++++++++---------------
1 files changed, 63 insertions(+), 25 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 4e9cb92..61a9a7c 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2446,7 +2446,7 @@ index d5aaf0e..689b2fd 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..b6ede9a 100644
+index 6a5004b..1ca5245 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -2474,7 +2474,7 @@ index 6a5004b..b6ede9a 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,7 +44,9 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,12 +44,15 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -2485,7 +2485,13 @@ index 6a5004b..b6ede9a 100644
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
-@@ -52,7 +60,9 @@ optional_policy(`
+ userdom_delete_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_user_home_content_files(tmpreaper_t)
++ userdom_delete_user_home_content_sock_files(tmpreaper_t)
+ userdom_delete_user_home_content_symlinks(tmpreaper_t)
+ ')
+
+@@ -52,7 +61,9 @@ optional_policy(`
')
optional_policy(`
@@ -2495,7 +2501,7 @@ index 6a5004b..b6ede9a 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,6 +76,14 @@ optional_policy(`
+@@ -66,6 +77,14 @@ optional_policy(`
')
optional_policy(`
@@ -53785,10 +53791,10 @@ index 0000000..aabfb0d
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..10cd4b2
+index 0000000..80d1ba6
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,175 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -53918,6 +53924,14 @@ index 0000000..10cd4b2
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
+miscfiles_read_localization(systemd_tmpfiles_t)
+
++ifdef(`distro_redhat',`
++ userdom_list_user_home_content(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_dirs(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_files(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_sock_files(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_symlinks(systemd_tmpfiles_t)
++')
++
+optional_policy(`
+ auth_rw_login_records(systemd_tmpfiles_t)
+')
@@ -55090,7 +55104,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..c5d64fd 100644
+index 28b88de..195c663 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -56623,7 +56637,32 @@ index 28b88de..c5d64fd 100644
')
########################################
-@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1779,6 +2170,24 @@ interface(`userdom_delete_user_home_content_files',`
+
+ ########################################
+ ## <summary>
++## Delete sock files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_user_home_content_sock_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:sock_file delete_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to write user home files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1810,8 +2219,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -56633,7 +56672,7 @@ index 28b88de..c5d64fd 100644
')
########################################
-@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2235,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -56647,19 +56686,18 @@ index 28b88de..c5d64fd 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -56668,7 +56706,7 @@ index 28b88de..c5d64fd 100644
')
########################################
-@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2837,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -56684,7 +56722,7 @@ index 28b88de..c5d64fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2865,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -56711,7 +56749,7 @@ index 28b88de..c5d64fd 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3180,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3198,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -56720,7 +56758,7 @@ index 28b88de..c5d64fd 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3196,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3214,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -56736,7 +56774,7 @@ index 28b88de..c5d64fd 100644
')
########################################
-@@ -2917,7 +3284,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3302,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -56745,7 +56783,7 @@ index 28b88de..c5d64fd 100644
')
########################################
-@@ -2972,7 +3339,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3357,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -56792,7 +56830,7 @@ index 28b88de..c5d64fd 100644
')
########################################
-@@ -3009,6 +3414,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3432,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -56800,7 +56838,7 @@ index 28b88de..c5d64fd 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3493,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3511,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -56825,7 +56863,7 @@ index 28b88de..c5d64fd 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3563,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3581,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
More information about the scm-commits
mailing list