diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if index 8695c7e..fe12554 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -72,7 +72,7 @@ template(`java_role_template',` domain_interactive_fd($1_java_t) - userdom_manage_tmpfs_role($2, $1_java_t) + userdom_manage_user_tmpfs_files($1_java_t) allow $1_java_t self:process { ptrace signal getsched execmem execstack }; diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 6eedf5a..aa8ace6 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,4 +1,4 @@ -policy_module(java, 2.3.0) +policy_module(java, 2.3.1) ######################################## # diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if index 7e83596..f694843 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if @@ -40,8 +40,6 @@ template(`mono_role_template',` domain_interactive_fd($1_mono_t) application_type($1_mono_t) - userdom_manage_tmpfs_role($2, $1_mono_t) - allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; @@ -51,6 +49,8 @@ template(`mono_role_template',` fs_dontaudit_rw_tmpfs_files($1_mono_t) corecmd_bin_domtrans($1_mono_t, $1_t) + userdom_manage_user_tmpfs_files($1_mono_t) + optional_policy(` xserver_role($1_r, $1_mono_t) ') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te index a3eee89..c101631 100644 --- a/policy/modules/apps/mono.te +++ b/policy/modules/apps/mono.te @@ -1,4 +1,4 @@ -policy_module(mono, 1.7.0) +policy_module(mono, 1.7.1) ######################################## # diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index bb86a62..9ebb373 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -35,10 +35,6 @@ interface(`pulseaudio_role',` allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; - userdom_manage_home_role($1, pulseaudio_t) - userdom_manage_tmp_role($1, pulseaudio_t) - userdom_manage_tmpfs_role($1, pulseaudio_t) - allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 7e3e3b2..778fb68 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -1,4 +1,4 @@ -policy_module(pulseaudio, 1.2.1) +policy_module(pulseaudio, 1.2.2) ######################################## # @@ -90,6 +90,11 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) +# cjp: this seems excessive. need to confirm +userdom_manage_user_home_content_files(pulseaudio_t) +userdom_manage_user_tmp_files(pulseaudio_t) +userdom_manage_user_tmpfs_files(pulseaudio_t) + optional_policy(` bluetooth_stream_connect(pulseaudio_t) ') diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index bdc0762..6db15ad 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -101,7 +101,7 @@ template(`wine_role_template',` corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_tmpfs_role($2, $1_wine_t) + userdom_manage_user_tmpfs_files($1_wine_t) domain_mmap_low($1_wine_t) diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index a1e7b44..8af45db 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -1,4 +1,4 @@ -policy_module(wine, 1.7.0) +policy_module(wine, 1.7.1) ######################################## # diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if index 369c3b5..82842a0 100644 --- a/policy/modules/apps/wm.if +++ b/policy/modules/apps/wm.if @@ -75,10 +75,6 @@ template(`wm_role_template',` miscfiles_read_fonts($1_wm_t) miscfiles_read_localization($1_wm_t) - userdom_manage_home_role($2, $1_wm_t) - userdom_manage_tmpfs_role($2, $1_wm_t) - userdom_manage_tmp_role($2, $1_wm_t) - optional_policy(` dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te index c1494a8..aeea34d 100644 --- a/policy/modules/apps/wm.te +++ b/policy/modules/apps/wm.te @@ -1,4 +1,4 @@ -policy_module(wm, 1.0.1) +policy_module(wm, 1.0.2) ######################################## # diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te index 9efe95f..ae9d49f 100644 --- a/policy/modules/services/likewise.te +++ b/policy/modules/services/likewise.te @@ -1,4 +1,4 @@ -policy_module(likewise, 1.0.0) +policy_module(likewise, 1.0.1) ################################# # @@ -143,7 +143,7 @@ sysnet_use_ldap(lsassd_t) sysnet_read_config(lsassd_t) userdom_home_filetrans_user_home_dir(lsassd_t) -userdom_manage_home_role(system_r, lsassd_t) +userdom_manage_user_home_content_files(lsassd_t) optional_policy(` kerberos_rw_keytab(lsassd_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 42d4e8d..c7c83c4 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2458,6 +2458,26 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## +## Create, read, write, and delete user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + allow $1 user_tmpfs_t:dir list_dir_perms; + fs_search_tmpfs($1) +') + +######################################## +## ## Get the attributes of a user domain tty. ## ## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 8567f3b..69b2e0f 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.4.1) +policy_module(userdomain, 4.4.2) ######################################## #