diff --git a/refpolicy/Changelog b/refpolicy/Changelog index da7184e..59c2a64 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -3,6 +3,7 @@ apt (Erich Schubert) clamav (Erich Schubert) dpkg (Erich Schubert) + thunderbird tor (Erich Schubert) * Tue Mar 07 2006 Chris PeBenito - 20060307 diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 1d556fb..974636b 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -371,6 +371,22 @@ gen_tunable(cron_can_relabel,false) ## ##

+## Disable transitions to user thunderbird domains +##

+##
+gen_tunable(disable_thunderbird_trans,false) + +## +##

+## Allow email client to various content. +## nfs, samba, removable devices, user temp +## and untrusted content files +##

+##
+gen_tunable(mail_read_content,false) + +## +##

## Allow pppd to be run for a regular user ##

##
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index ebe004f..db8f672 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -354,3 +354,40 @@ template(`gpg_per_userdomain_template',` ') dnl end TODO ') +######################################## +## +## Transition to a user gpg domain. +## +## +##

+## Transition to a user gpg domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`gpg_domtrans_user_gpg',` + gen_require(` + type $1_gpg_t, gpg_exec_t; + ') + + domain_auto_trans($2, gpg_exec_t, $1_gpg_t) + allow $2 $1_gpg_t:fd use; + allow $1_gpg_t $2:fd use; + allow $1_gpg_t $2:fifo_file rw_file_perms; + allow $1_gpg_t $2:process sigchld; +') + diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te index 489027c..e9271c6 100644 --- a/refpolicy/policy/modules/apps/gpg.te +++ b/refpolicy/policy/modules/apps/gpg.te @@ -1,5 +1,5 @@ -policy_module(gpg, 1.0.0) +policy_module(gpg, 1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/apps/thunderbird.fc b/refpolicy/policy/modules/apps/thunderbird.fc new file mode 100644 index 0000000..cd80a95 --- /dev/null +++ b/refpolicy/policy/modules/apps/thunderbird.fc @@ -0,0 +1,8 @@ +# +# /usr +# +/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) + +ifdef(`strict_policy',` +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +') diff --git a/refpolicy/policy/modules/apps/thunderbird.if b/refpolicy/policy/modules/apps/thunderbird.if new file mode 100644 index 0000000..d9fbf9b --- /dev/null +++ b/refpolicy/policy/modules/apps/thunderbird.if @@ -0,0 +1,359 @@ +## Thunderbird email client + +####################################### +## +## The per user domain template for the thunderbird module. +## +## +##

+## This template creates a derived domain which is used +## for the thunderbird email client. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`thunderbird_per_userdomain_template',` + + ######################################## + # + # Declarations + # + + type $1_thunderbird_t; + domain_type($1_thunderbird_t) + domain_entry_file($1_thunderbird_t,thunderbird_exec_t) + role $3 types $1_thunderbird_t; + + type $1_thunderbird_home_t alias $1_thunderbird_rw_t; + files_poly_member($1_thunderbird_home_t) + + type $1_thunderbird_tmpfs_t; + files_tmpfs_file($1_thunderbird_tmpfs_t) + + ######################################## + # + # Local policy + # + + allow $1_thunderbird_t self:capability sys_nice; + allow $1_thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; + allow $1_thunderbird_t self:fifo_file { ioctl read write getattr }; + allow $1_thunderbird_t self:unix_dgram_socket { create connect }; + allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; + allow $1_thunderbird_t self:tcp_socket create_socket_perms; + allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; + + # Access ~/.thunderbird + allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms; + allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms; + allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms; + userdom_search_user_home_dirs($1,$1_thunderbird_t) + + allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms; + allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms; + allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms; + allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms; + allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms; + fs_filetrans_tmpfs($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + allow $2 $1_thunderbird_t:fd use; + allow $2 $1_thunderbird_t:shm { associate getattr }; + allow $2 $1_thunderbird_t:unix_stream_socket connectto; + allow $1_thunderbird_t $2:fd use; + allow $1_thunderbird_t $2:process sigchld; + allow $1_thunderbird_t $2:unix_stream_socket connectto; + + # Allow the user domain to signal/ps. + allow $2 $1_thunderbird_t:dir { search getattr read }; + allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr }; + allow $2 $1_thunderbird_t:process getattr; + # We need to suppress this denial because procps tries to access + # /proc/pid/environ and this now triggers a ptrace check in recent kernels + # (2.4 and 2.6). Might want to change procps to not do this, or only if + # running in a privileged domain. + dontaudit $2 $1_thunderbird_t:process ptrace; + + # Access ~/.thunderbird + allow $2 $1_thunderbird_home_t:dir manage_dir_perms; + allow $2 $1_thunderbird_home_t:file manage_file_perms; + allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms; + allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + + # Allow netstat + kernel_read_network_state($1_thunderbird_t) + + corecmd_exec_shell($1_thunderbird_t) + # Startup shellscript + corecmd_exec_bin($1_thunderbird_t) + + corenet_tcp_sendrecv_generic_if($1_thunderbird_t) + corenet_raw_sendrecv_generic_if($1_thunderbird_t) + corenet_tcp_sendrecv_ipp_port($1_thunderbird_t) + corenet_tcp_sendrecv_ldap_port($1_thunderbird_t) + corenet_tcp_sendrecv_innd_port($1_thunderbird_t) + corenet_tcp_sendrecv_smtp_port($1_thunderbird_t) + corenet_tcp_sendrecv_pop_port($1_thunderbird_t) + corenet_tcp_sendrecv_http_port($1_thunderbird_t) + corenet_tcp_sendrecv_all_nodes($1_thunderbird_t) + corenet_raw_sendrecv_all_nodes($1_thunderbird_t) + corenet_non_ipsec_sendrecv($1_thunderbird_t) + corenet_tcp_bind_all_nodes($1_thunderbird_t) + corenet_tcp_connect_ipp_port($1_thunderbird_t) + corenet_tcp_connect_ldap_port($1_thunderbird_t) + corenet_tcp_connect_innd_port($1_thunderbird_t) + corenet_tcp_connect_smtp_port($1_thunderbird_t) + corenet_tcp_connect_pop_port($1_thunderbird_t) + corenet_tcp_connect_http_port($1_thunderbird_t) + + files_list_tmp($1_thunderbird_t) + files_read_usr_files($1_thunderbird_t) + files_read_etc_files($1_thunderbird_t) + + fs_getattr_xattr_fs($1_thunderbird_t) + # Access ~/.thunderbird + fs_search_auto_mountpoints($1_thunderbird_t) + + libs_use_shared_libs($1_thunderbird_t) + libs_use_ld_so($1_thunderbird_t) + + miscfiles_read_fonts($1_thunderbird_t) + + sysnet_read_config($1_thunderbird_t) + # Allow DNS + sysnet_dns_name_resolve($1_thunderbird_t) + + userdom_manage_user_tmp_dirs($1,$1_thunderbird_t) + userdom_read_user_tmp_files($1,$1_thunderbird_t) + userdom_write_user_tmp_sockets($1,$1_thunderbird_t) + userdom_manage_user_tmp_sockets($1,$1_thunderbird_t) + # .kde/....gtkrc + userdom_read_user_home_content_files($1,$1_thunderbird_t) + + xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t) + + # Transition from user type + tunable_policy(`! disable_thunderbird_trans',` + domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t) + ') + + # Access ~/.thunderbird + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_thunderbird_t) + fs_manage_nfs_files($1_thunderbird_t) + fs_manage_nfs_symlinks($1_thunderbird_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs($1_thunderbird_t) + fs_manage_cifs_files($1_thunderbird_t) + fs_manage_cifs_symlinks($1_thunderbird_t) + ') + + tunable_policy(`mail_read_content && use_nfs_home_dirs',` + files_list_home($1_thunderbird_t) + + fs_list_auto_mountpoints($1_thunderbird_t) + fs_read_nfs_files($1_thunderbird_t) + fs_read_nfs_symlinks($1_thunderbird_t) + ',` + files_dontaudit_list_home($1_thunderbird_t) + + fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) + fs_dontaudit_list_nfs($1_thunderbird_t) + fs_dontaudit_read_nfs_files($1_thunderbird_t) + ') + + tunable_policy(`mail_read_content && use_samba_home_dirs',` + files_list_home($1_thunderbird_t) + + fs_list_auto_mountpoints($1_thunderbird_t) + fs_read_cifs_files($1_thunderbird_t) + fs_read_cifs_symlinks($1_thunderbird_t) + ',` + files_dontaudit_list_home($1_thunderbird_t) + + fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) + fs_dontaudit_read_cifs_files($1_thunderbird_t) + fs_dontaudit_list_cifs($1_thunderbird_t) + ') + + tunable_policy(`mail_read_content',` + userdom_list_user_tmp($1,$1_thunderbird_t) + userdom_read_user_tmp_files($1,$1_thunderbird_t) + userdom_read_user_tmp_symlinks($1,$1_thunderbird_t) + userdom_search_user_home_dirs($1,$1_thunderbird_t) + userdom_read_user_home_content_files($1,$1_thunderbird_t) + userdom_read_user_home_content_symlinks($1,$1_thunderbird_t) + + ifdef(`mls_policy',` + ',` + fs_search_removable($1_thunderbird_t) + fs_read_removable_files($1_thunderbird_t) + fs_read_removable_symlinks($1_thunderbird_t) + ') + ',` + files_dontaudit_list_tmp($1_thunderbird_t) + files_dontaudit_list_home($1_thunderbird_t) + + fs_dontaudit_list_removable($1_thunderbird_t) + fs_donaudit_read_removable_files($1_thunderbird_t) + + userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t) + userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t) + userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t) + userdom_dontaudit_read_user_home_content_files($1,$1_thunderbird_t) + ') + + tunable_policy(`mail_read_content && read_default_t',` + files_list_default($1_thunderbird_t) + files_read_default_files($1_thunderbird_t) + files_read_default_symlinks($1_thunderbird_t) + ',` + files_dontaudit_read_default_files($1_thunderbird_t) + files_dontaudit_list_default($1_thunderbird_t) + ') + + tunable_policy(`mail_read_content && read_untrusted_content',` + files_list_tmp($1_thunderbird_t) + files_list_home($1_thunderbird_t) + + userdom_search_user_home_dirs($1,$1_thunderbird_t) + userdom_list_user_untrusted_content($1,$1_thunderbird_t) + userdom_read_user_untrusted_content_files($1,$1_thunderbird_t) + userdom_read_user_untrusted_content_symlinks($1,$1_thunderbird_t) + userdom_list_user_tmp_untrusted_content($1,$1_thunderbird_t) + userdom_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t) + userdom_read_user_tmp_untrusted_content_symlinks($1,$1_thunderbird_t) + ',` + files_dontaudit_list_tmp($1_thunderbird_t) + files_dontaudit_list_home($1_thunderbird_t) + + userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t) + userdom_dontaudit_list_user_untrusted_content($1,$1_thunderbird_t) + userdom_dontaudit_read_user_untrusted_content_files($1,$1_thunderbird_t) + userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_thunderbird_t) + userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t) + ') + + # Manage nfs homedirs + tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` + files_search_home($1_thunderbird_t) + + fs_search_auto_mountpoints($1_thunderbird_t) + fs_manage_nfs_dirs($1_thunderbird_t) + fs_manage_nfs_files($1_thunderbird_t) + fs_manage_nfs_symlinks($1_thunderbird_t) + ',` + fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) + fs_dontaudit_manage_nfs_dirs($1_thunderbird_t) + fs_dontaudit_manage_nfs_files($1_thunderbird_t) + ') + + # Manage samba homedirs + tunable_policy(`write_untrusted_content && use_samba_home_dirs',` + files_search_home($1_thunderbird_t) + + fs_search_auto_mountpoints($1_thunderbird_t) + fs_manage_cifs_dirs($1_thunderbird_t) + fs_manage_cifs_files($1_thunderbird_t) + fs_manage_cifs_symlinks($1_thunderbird_t) + ',` + fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) + fs_dontaudit_manage_cifs_dirs($1_thunderbird_t) + fs_dontaudit_manage_cifs_files($1_thunderbird_t) + ') + + # Manage /tmp and /home + tunable_policy(`write_untrusted_content',` + files_search_home($1_thunderbird_t) + files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file) + files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir) + + userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,file) + userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,dir) + ',` + files_dontaudit_list_home($1_thunderbird_t) + files_dontaudit_list_tmp($1_thunderbird_t) + + userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t) + userdom_dontaudit_manage_user_tmp_dirs($1,$1_thunderbird_t) + userdom_dontaudit_manage_user_tmp_files($1,$1_thunderbird_t) + userdom_dontaudit_manage_user_home_content_dirs($1,$1_thunderbird_t) + ') + + optional_policy(`dbus', ` + dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t) + dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t) + dbus_send_system_bus($1_thunderbird_t) + dbus_send_user_bus($1,$1_thunderbird_t) + ') + + optional_policy(`lpr',` + lpd_domtrans_user_lpr($1,$1_thunderbird_t) + ') + + optional_policy(`cups',` + cups_read_rw_config($1_thunderbird_t) + ') + + optional_policy(`gpg', ` + gpg_domtrans_user_gpg($1,$1_thunderbird_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_thunderbird_t) + ') + + ifdef(`TODO',` + # FIXME: Rules were removed to centralize policy in a gnome_app macro + # A similar thing might be necessary for mozilla compiled without GNOME + # support (is this possible?). + + # FIXME: Why does it try to do that? + #dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute }; + + # Why is thunderbird looking in .mozilla ? + # FIXME: there are legitimate uses of invoking the browser - about -> release notes + dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search; + + # Start links in web browser + ifdef(`mozilla.te', ` + can_exec($1_thunderbird_t, shell_exec_t) + domain_auto_trans($1_thunderbird_t, mozilla_exec_t, $1_mozilla_t) + ') + + # GNOME support + optional_policy(`gnome', ` + gnome_application($1_thunderbird, $1) + gnome_file_dialog($1_thunderbird, $1) + allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; + ') + optinal_policy(`dbus',` + allow $1_t $2_dbusd_t:dbus send_msg; + ifdef(`cups.te', ` + allow cupsd_t $1_t:dbus send_msg; + ') + ') + + ') +') diff --git a/refpolicy/policy/modules/apps/thunderbird.te b/refpolicy/policy/modules/apps/thunderbird.te new file mode 100644 index 0000000..60f093d --- /dev/null +++ b/refpolicy/policy/modules/apps/thunderbird.te @@ -0,0 +1,10 @@ + +policy_module(thunderbird,1.0.0) + +######################################## +# +# Declarations +# + +type thunderbird_exec_t; +files_type(thunderbird_exec_t) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 8853e04..4bec122 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -2644,6 +2644,25 @@ interface(`files_read_generic_tmp_files',` ######################################## ## +## Manage temporary files and directories in /tmp. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`files_manage_generic_tmp_files',` + gen_require(` + type tmp_t; + ') + + allow $1 tmp_t:dir rw_dir_perms; + allow $1 tmp_t:file manage_file_perms; +') + +######################################## +## ## Read symbolic links in the tmp directory (/tmp). ## ## diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index 7f506e4..0b49aa7 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.0) +policy_module(files,1.2.1) ######################################## # diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index b96f17f..e376365 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -216,6 +216,75 @@ template(`dbus_system_bus_client_template',` allow $2 system_dbusd_t:unix_stream_socket connectto; ') +####################################### +## +## Template for creating connections to +## a user DBUS. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the domain. +## +## +# +template(`dbus_user_bus_client_template',` + gen_require(` + type $1_dbusd_t, $1_dbusd_t; + type $1_dbusd_var_run_t; + class dbus send_msg; + ') + + type $2_dbusd_$1_t; + type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t; + + # SE-DBus specific permissions + allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; + + # For connecting to the bus + files_search_pids($3) + allow $3 system_dbusd_var_run_t:dir search; + allow $3 system_dbusd_var_run_t:sock_file write; + allow $3 system_dbusd_t:unix_stream_socket connectto; +') + +######################################## +## +## Send a message on user/application specific DBUS. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`dbus_send_user_bus',` + gen_require(` + type $1_dbusd_t; + class dbus send_msg; + ') + + allow $2 $1_dbusd_t:dbus send_msg; +') + + ######################################## ## ## Read dbus configuration. diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index e969d8a..2d35030 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.2.0) +policy_module(dbus,1.2.1) gen_require(` class dbus { send_msg acquire_svc }; diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if index da7e607..3873992 100644 --- a/refpolicy/policy/modules/services/lpd.if +++ b/refpolicy/policy/modules/services/lpd.if @@ -356,3 +356,41 @@ interface(`lpd_read_config',` allow $1 printconf_t:dir list_dir_perms; allow $1 printconf_t:file r_file_perms; ') + +######################################## +## +## Transition to a user lpr domain. +## +## +##

+## Transition to a user lpr domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`lpd_domtrans_user_lpr',` + gen_require(` + type $1_lpr_t, lpr_exec_t; + ') + + domain_auto_trans($2, lpr_exec_t, $1_lpr_t) + allow $2 $1_lpr_t:fd use; + allow $1_lpr_t $2:fd use; + allow $1_lpr_t $2:fifo_file rw_file_perms; + allow $1_lpr_t $2:process sigchld; +') + diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index a7aabb9..f3e7514 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.2.0) +policy_module(lpd,1.2.1) ######################################## # diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 45d4ec6..04e03b9 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1552,6 +1552,41 @@ template(`userdom_manage_user_home_content_files',` ######################################## ## +## Do not audit attempts to create, read, write, and delete directories +## in a user home subdirectory. +## +## +##

+## Do not audit attempts to create, read, write, and delete directories +## in a user home subdirectory. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_dontaudit_manage_user_home_content_dirs',` + gen_require(` + type $1_home_dir_t, $1_home_t; + ') + + dontaudit $2 $1_home_t:dir manage_dir_perms; +') + +######################################## +## ## Create, read, write, and delete symbolic links ## in a user home subdirectory. ## @@ -1864,6 +1899,41 @@ template(`userdom_dontaudit_list_user_tmp',` ######################################## ## +## Do not audit attempts to manage users +## temporary directories. +## +## +##

+## Do not audit attempts to manage users +## temporary directories. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain to not audit. +## +## +# +template(`userdom_dontaudit_manage_user_tmp_dirs',` + gen_require(` + type $1_tmp_t; + ') + + dontaudit $2 $1_tmp_t:dir manage_dir_perms; +') + +######################################## +## ## Read user temporary files. ## ## @@ -2004,6 +2074,41 @@ template(`userdom_rw_user_tmp_files',` ######################################## ## +## Do not audit attempts to manage users +## temporary files. +## +## +##

+## Do not audit attempts to manage users +## temporary files. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain to not audit. +## +## +# +template(`userdom_dontaudit_manage_user_tmp_files',` + gen_require(` + type $1_tmp_t; + ') + + dontaudit $2 $1_tmp_t:file manage_file_perms; +') + +######################################## +## ## Read user ## temporary symbolic links. ## @@ -2357,12 +2462,46 @@ template(`userdom_read_user_untrusted_content_files',` type $1_untrusted_content_t; ') - allow $2 $1_untrusted_content_t:dir rw_dir_perms; + allow $2 $1_untrusted_content_t:dir r_dir_perms; allow $2 $1_untrusted_content_t:file r_file_perms; ') ######################################## ## +## Manage user untrusted files. +## +## +##

+## Create, read, write, and delete untrusted files. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_manage_user_untrusted_content_files',` + gen_require(` + type $1_untrusted_content_t; + ') + + allow $2 $1_tmp_t:dir rw_dir_perms; + allow $2 $1_untrusted_content_tmp_t:file manage_file_perms; +') + +######################################## +## ## Do not audit attempts to read users ## untrusted files. ## @@ -2426,7 +2565,7 @@ template(`userdom_read_user_untrusted_content_symlinks',` type $1_untrusted_content_t; ') - allow $2 $1_untrusted_content_t:dir rw_dir_perms; + allow $2 $1_untrusted_content_t:dir r_dir_perms; allow $2 $1_untrusted_content_t:lnk_file r_file_perms; ') @@ -2528,7 +2667,7 @@ template(`userdom_read_user_tmp_untrusted_content_files',` type $1_untrusted_content_tmp_t; ') - allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms; + allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms; allow $2 $1_untrusted_content_tmp_t:file r_file_perms; ') @@ -2597,7 +2736,7 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',` type $1_untrusted_content_tmp_t; ') - allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms; + allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms; allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms; ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 2dffbc3..286f55f 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.2) +policy_module(userdomain,1.3.3) gen_require(` role sysadm_r, staff_r, user_r;