diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 992493c..3cdd2d3 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -20,6 +20,12 @@
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the user domain.
+##
+##
+## The role associated with the user domain.
+##
#
template(`su_per_userdomain_template',`
@@ -30,9 +36,9 @@ template(`su_per_userdomain_template',`
domain_subj_id_change_exempt($1_su_t)
domain_obj_id_change_exempt($1_su_t)
domain_wide_inherit_fd($1_su_t)
- role $1_r types $1_su_t;
+ role $3 types $1_su_t;
- allow $1_t $1_su_t:process signal;
+ allow $2 $1_su_t:process signal;
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
@@ -40,18 +46,18 @@ template(`su_per_userdomain_template',`
allow $1_su_t self:fifo_file rw_file_perms;
# Transition from the user domain to this domain.
- domain_auto_trans($1_t, su_exec_t, $1_su_t)
- allow $1_t $1_su_t:fd use;
- allow $1_su_t $1_t:fd use;
- allow $1_su_t $1_t:fifo_file rw_file_perms;
- allow $1_su_t $1_t:process sigchld;
+ domain_auto_trans($2, su_exec_t, $1_su_t)
+ allow $2 $1_su_t:fd use;
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
# By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_su_t,$1_t)
- allow $1_t $1_su_t:fd use;
- allow $1_su_t $1_t:fd use;
- allow $1_su_t $1_t:fifo_file rw_file_perms;
- allow $1_su_t $1_t:process sigchld;
+ corecmd_shell_domtrans($1_su_t,$2)
+ allow $2 $1_su_t:fd use;
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctl($1_su_t)
@@ -97,7 +103,7 @@ template(`su_per_userdomain_template',`
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
- userdom_use_user_terminals($1_su_t,$1)
+ userdom_use_user_terminals($1,$1_su_t)
if(secure_mode)
{
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 4ff3ed5..17fd5f2 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -20,6 +20,12 @@
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the user domain.
+##
+##
+## The role associated with the user domain.
+##
#
template(`sudo_per_userdomain_template',`
@@ -36,7 +42,7 @@ template(`sudo_per_userdomain_template',`
domain_role_change_exempt($1_sudo_t)
domain_obj_id_change_exempt($1_sudo_t)
- role $1_r types $1_sudo_t;
+ role $3 types $1_sudo_t;
##############################
#
@@ -59,18 +65,18 @@ template(`sudo_per_userdomain_template',`
allow $1_sudo_t self:msg { send receive };
# Enter this derived domain from the user domain
- domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
- allow $1_sudo_t $1_t:fd use;
- allow $1_t $1_sudo_t:fd use;
- allow $1_t $1_sudo_t:fifo_file rw_file_perms;
- allow $1_t $1_sudo_t:process sigchld;
+ domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
+ allow $1_sudo_t $2:fd use;
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
# By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t,$1_t)
- allow $1_t $1_sudo_t:fd use;
- allow $1_sudo_t $1_t:fd use;
- allow $1_sudo_t $1_t:fifo_file rw_file_perms;
- allow $1_sudo_t $1_t:process sigchld;
+ corecmd_shell_domtrans($1_sudo_t,$2)
+ allow $2 $1_sudo_t:fd use;
+ allow $1_sudo_t $2:fd use;
+ allow $1_sudo_t $2:fifo_file rw_file_perms;
+ allow $1_sudo_t $2:process sigchld;
kernel_read_kernel_sysctl($1_sudo_t)
kernel_read_system_state($1_sudo_t)
@@ -121,10 +127,10 @@ template(`sudo_per_userdomain_template',`
seutil_read_config($1_sudo_t)
seutil_read_default_contexts($1_sudo_t)
- userdom_manage_user_home_subdir_files($1_sudo_t,$1)
- userdom_manage_user_home_subdir_symlinks($1_sudo_t,$1)
- userdom_manage_user_tmp_files($1_sudo_t,$1)
- userdom_manage_user_tmp_symlinks($1_sudo_t,$1)
+ userdom_manage_user_home_subdir_files($1,$1_sudo_t)
+ userdom_manage_user_home_subdir_symlinks($1,$1_sudo_t)
+ userdom_manage_user_tmp_files($1,$1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
userdom_use_unpriv_users_fd($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home($1_sudo_t)
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index b560223..f27154e 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -21,10 +21,15 @@
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+## The type of the process performing this action.
+##
#
template(`gpg_per_userdomain_template',`
- gen_require(`$0'_depend)
-
########################################
#
# Declarations
@@ -33,12 +38,12 @@ template(`gpg_per_userdomain_template',`
type $1_gpg_t;
domain_type($1_gpg_t)
domain_entry_file($1_gpg_t,gpg_exec_t)
- role $1_r types $1_gpg_t;
+ role $3 types $1_gpg_t;
type $1_gpg_agent_t;
domain_type($1_gpg_agent_t)
domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
- role $1_r types $1_gpg_agent_t;
+ role $3 types $1_gpg_agent_t;
type $1_gpg_agent_tmp_t;
files_tmp_file($1_gpg_agent_tmp_t)
@@ -48,11 +53,11 @@ template(`gpg_per_userdomain_template',`
type $1_gpg_helper_t;
domain_type($1_gpg_helper_t)
- role $1_r types $1_gpg_helper_t;
+ role $3 types $1_gpg_helper_t;
type $1_gpg_pinentry_t;
domain_type($1_gpg_pinentry_t)
- role $1_r types $1_gpg_pinentry_t;
+ role $3 types $1_gpg_pinentry_t;
########################################
#
@@ -60,15 +65,15 @@ template(`gpg_per_userdomain_template',`
#
# transition from the userdomain to the derived domain
- domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t)
+ domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
- allow $1_t $1_gpg_t:fd use;
- allow $1_gpg_t $1_t:fd use;
- allow $1_gpg_t $1_t:fifo_file rw_file_perms;
- allow $1_gpg_t $1_t:process sigchld;
+ allow $2 $1_gpg_t:fd use;
+ allow $1_gpg_t $2:fd use;
+ allow $1_gpg_t $2:fifo_file rw_file_perms;
+ allow $1_gpg_t $2:process sigchld;
allow $1_gpg_t self:capability { ipc_lock setuid };
- allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
+ allow { $2 $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap };
@@ -79,8 +84,8 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
- allow $1_t $1_gpg_secret_t:file getattr;
- allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
+ allow $2 $1_gpg_secret_t:file getattr;
+ allow $2 $1_gpg_secret_t:dir rw_dir_perms;
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_raw_sendrecv_all_if($1_gpg_t)
@@ -115,6 +120,8 @@ template(`gpg_per_userdomain_template',`
sysnet_read_config($1_gpg_t)
+ userdom_use_user_terminals($1,$1_gpg_t)
+
# Legacy
tunable_policy(`allow_gpg_execstack',`
allow $1_gpg_t self:process execmem;
@@ -143,7 +150,6 @@ template(`gpg_per_userdomain_template',`
ifdef(`TODO',`
- access_terminal($1_gpg_t, $1)
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
# allow ps to show gpg
@@ -176,8 +182,8 @@ template(`gpg_per_userdomain_template',`
# mail interface you will likely need additional permissions.
# communicate with the user
- allow $1_gpg_helper_t $1_t:fd use;
- allow $1_gpg_helper_t $1_t:fifo_file write;
+ allow $1_gpg_helper_t $2:fd use;
+ allow $1_gpg_helper_t $2:fifo_file write;
# transition from the gpg domain to the helper domain
domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
@@ -254,17 +260,17 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
# Allow the user shell to signal the gpg-agent program.
- allow $1_t $1_gpg_agent_t:process { signal sigkill };
+ allow $2 $1_gpg_agent_t:process { signal sigkill };
- allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
- allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
- allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
+ allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
+ allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
+ allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
corecmd_search_bin($1_gpg_agent_t)
# Transition from the user domain to the derived domain.
- domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+ domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
domain_use_wide_inherit_fd($1_gpg_agent_t)
@@ -273,6 +279,9 @@ template(`gpg_per_userdomain_template',`
miscfiles_read_localization($1_gpg_agent_t)
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_gpg_agent_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gpg_agent_t)
fs_manage_nfs_files($1_gpg_agent_t)
@@ -289,9 +298,6 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_agent_t xdm_t:fd use;
- # Write to the user domain tty.
- access_terminal($1_gpg_agent_t, $1)
-
# allow ps to show gpg-agent
can_ps($1_t, $1_gpg_agent_t)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index ac380e1..cde33f0 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -20,6 +20,12 @@
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the user domain.
+##
+##
+## The role associated with the user domain.
+##
#
template(`cron_per_userdomain_template',`
@@ -30,12 +36,12 @@ template(`cron_per_userdomain_template',`
type $1_crond_t; # user_crond_domain;
domain_type($1_crond_t);
corecmd_shell_entry_type($1_crond_t)
- role $1_r types $1_crond_t;
+ role $3 types $1_crond_t;
type $1_crontab_t;
domain_type($1_crontab_t)
domain_entry_file($1_crontab_t,crontab_exec_t)
- role $1_r types $1_crontab_t;
+ role $3 types $1_crontab_t;
##############################
#
@@ -112,12 +118,12 @@ template(`cron_per_userdomain_template',`
miscfiles_read_localization($1_crond_t)
- userdom_manage_user_tmp_files($1_crond_t,$1)
- userdom_manage_user_tmp_symlinks($1_crond_t,$1)
- userdom_manage_user_tmp_pipes($1_crond_t,$1)
- userdom_manage_user_tmp_sockets($1_crond_t,$1)
+ userdom_manage_user_tmp_files($1,$1_crond_t)
+ userdom_manage_user_tmp_symlinks($1,$1_crond_t)
+ userdom_manage_user_tmp_pipes($1,$1_crond_t)
+ userdom_manage_user_tmp_sockets($1,$1_crond_t)
# Run scripts in user home directory and access shared libs.
- userdom_exec_user_home_files($1_crond_t,$1)
+ userdom_exec_user_home_files($1,$1_crond_t)
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file create_file_perms;
@@ -157,14 +163,14 @@ template(`cron_per_userdomain_template',`
#
# Transition from the user domain to the derived domain.
- domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
- allow $1_t $1_crontab_t:fd use;
- allow $1_crontab_t $1_t:fd use;
- allow $1_crontab_t $1_t:fifo_file rw_file_perms;
- allow $1_crontab_t $1_t:process sigchld;
+ domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
+ allow $1_crontab_t $2:fd use;
+ allow $1_crontab_t $2:fifo_file rw_file_perms;
+ allow $1_crontab_t $2:process sigchld;
# for ^Z
- allow $1_t $1_crontab_t:process signal;
+ allow $2 $1_crontab_t:process signal;
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file r_file_perms;
@@ -188,6 +194,11 @@ template(`cron_per_userdomain_template',`
fs_getattr_xattr_fs($1_crontab_t)
+ # Run helper programs as the user domain
+ corecmd_bin_domtrans($1_crontab_t,$2)
+ corecmd_sbin_domtrans($1_crontab_t,$2)
+ corecmd_shell_domtrans($1_crontab_t,$2)
+
domain_use_wide_inherit_fd($1_crontab_t)
files_read_etc_files($1_crontab_t)
@@ -202,8 +213,12 @@ template(`cron_per_userdomain_template',`
seutil_dontaudit_search_config($1_crontab_t)
- userdom_manage_user_tmp_dirs($1_crontab_t,$1)
- userdom_manage_user_tmp_files($1_crontab_t,$1)
+ userdom_manage_user_tmp_dirs($1,$1_crontab_t)
+ userdom_manage_user_tmp_files($1,$1_crontab_t)
+ # Access terminals.
+ userdom_use_user_terminals($1,$1_crontab_t)
+ # Read user crontabs
+ userdom_read_user_home_files($1,$1_crontab_t)
tunable_policy(`fcron_crond', `
# fcron wants an instant update of a crontab change for the administrator
@@ -212,7 +227,6 @@ template(`cron_per_userdomain_template',`
')
ifdef(`TODO',`
-
can_ps($1_t, $1_crontab_t)
dontaudit $1_crontab_t proc_t:dir search;
@@ -220,19 +234,10 @@ template(`cron_per_userdomain_template',`
allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
- # Run helper programs as $1_t
- domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
-
- # Read user crontabs
+ # Read user crontabs
allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
- allow $1_crontab_t $1_home_t:file r_file_perms;
dontaudit $1_crontab_t $1_home_dir_t:dir write;
- # Access terminals.
- allow $1_crontab_t devpts_t:dir r_dir_perms;
- allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms;
- allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms;
-
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
') dnl endif TODO
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 87f132c..6409e53 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -1,15 +1,36 @@
## Policy common to all email tranfer agents.
#######################################
-#
-# Per user domain template for this module
-#
-# mta_per_userdomain_template(userdomain_prefix)
+##
+## The per user domain template for the mta module.
+##
+##
+##
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+## The type of the user domain.
+##
+##
+## The role associated with the user domain.
+##
#
template(`mta_per_userdomain_template',`
type $1_mail_t; # , user_mail_domain
domain_type($1_mail_t)
- role $1_r types $1_mail_t;
+ role $3 types $1_mail_t;
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
@@ -30,13 +51,13 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
# Transition from the user domain to the derived domain.
- domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
- allow $1_t sendmail_exec_t:lnk_file { getattr read };
+ domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
+ allow $2 sendmail_exec_t:lnk_file { getattr read };
- allow $1_t $1_mail_t:fd use;
- allow $1_mail_t $1_t:fd use;
- allow $1_mail_t $1_t:fifo_file rw_file_perms;
- allow $1_mail_t $1_t:process sigchld;
+ allow $2 $1_mail_t:fd use;
+ allow $1_mail_t $2:fd use;
+ allow $1_mail_t $2:fifo_file rw_file_perms;
+ allow $1_mail_t $2:process sigchld;
kernel_read_kernel_sysctl($1_mail_t)
@@ -64,6 +85,8 @@ template(`mta_per_userdomain_template',`
sysnet_read_config($1_mail_t)
+ userdom_use_user_terminals($1,$1_mail_t)
+
tunable_policy(`use_dns',`
allow $1_mail_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if($1_mail_t)
@@ -113,10 +136,6 @@ template(`mta_per_userdomain_template',`
allow mta_user_agent devpts_t:dir r_dir_perms;
allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
- allow $1_mail_t $1_tty_device_t:chr_file rw_file_perms;
- allow $1_mail_t devpts_t:dir r_dir_perms;
- allow $1_mail_t $1_devpts_t:chr_file rw_file_perms;
-
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index c70680d..9b7ada4 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -20,6 +20,12 @@
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the user domain.
+##
+##
+## The role associated with the user domain.
+##
#
template(`ssh_per_userdomain_template',`
##############################
@@ -29,14 +35,14 @@ template(`ssh_per_userdomain_template',`
type $1_home_ssh_t; #, $1_file_type;
files_type($1_home_ssh_t)
- role $1_r types $1_ssh_t;
+ role $3 types $1_ssh_t;
type $1_ssh_t;
domain_type($1_ssh_t)
type $1_ssh_agent_t;
domain_type($1_ssh_agent_t)
- role $1_r types $1_ssh_agent_t;
+ role $3 types $1_ssh_agent_t;
##############################
#
@@ -57,7 +63,11 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
# Transition from the user domain to the derived domain.
- domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
+ domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
+ allow $2 $1_ssh_t:fd use;
+ allow $1_ssh_t $2:fd use;
+ allow $1_ssh_t $2:fifo_file rw_file_perms;
+ allow $1_ssh_t $2:process sigchld;
# Read the ssh key file.
allow $1_ssh_t sshd_key_t:file r_file_perms;
@@ -68,20 +78,20 @@ template(`ssh_per_userdomain_template',`
files_create_tmp_files($1_ssh_t, sshd_tmp_t, { file dir })
# for rsync
- allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms;
- allow $1_ssh_t $1_t:unix_stream_socket connectto;
+ allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
+ allow $1_ssh_t $2:unix_stream_socket connectto;
# user can manage the keys and config
- allow $1_t $1_home_ssh_t:dir rw_dir_perms;
- allow $1_t $1_home_ssh_t:file create_file_perms;
- allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms;
- allow $1_t $1_home_ssh_t:sock_file create_file_perms;
+ allow $2 $1_home_ssh_t:dir rw_dir_perms;
+ allow $2 $1_home_ssh_t:file create_file_perms;
+ allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
+ allow $2 $1_home_ssh_t:sock_file create_file_perms;
# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
# cjp: should probably fix target to be an attribute for ssh servers
# or "regular" (not special like sshd_extern_t) servers
- allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+ allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms;
# ssh client can manage the keys and config
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
@@ -248,20 +258,30 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_agent_t self:process setrlimit;
allow $1_ssh_agent_t self:capability setgid;
- allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;
+ allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
+ # for ssh-add
+ allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
+
+ # Allow the user shell to signal the ssh program.
+ allow $2 $1_ssh_agent_t:process signal;
+
# for the transition back to normal privs upon exec
- allow $1_ssh_agent_t $1_t:fd use;
- allow $1_t $1_ssh_agent_t:fd use;
- allow $1_t $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $1_t $1_ssh_agent_t:process sigchld;
+ allow $1_ssh_agent_t $2:fd use;
+ allow $2 $1_ssh_agent_t:fd use;
+ allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
+ allow $2 $1_ssh_agent_t:process sigchld;
# Allow the ssh program to communicate with ssh-agent.
allow $1_ssh_t sshd_t:unix_stream_socket connectto;
- domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)
+ domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t)
+ allow $2 $1_ssh_agent_t:fd use;
+ allow $1_ssh_agent_t $2:fd use;
+ allow $1_ssh_agent_t $2:fifo_file rw_file_perms;
+ allow $1_ssh_agent_t $2:process sigchld;
kernel_read_kernel_sysctl($1_ssh_agent_t)
@@ -290,6 +310,9 @@ template(`ssh_per_userdomain_template',`
seutil_dontaudit_search_config($1_ssh_agent_t)
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_ssh_agent_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@@ -318,11 +341,6 @@ template(`ssh_per_userdomain_template',`
ifdef(`TODO',`
- # Write to the user domain tty.
- access_terminal($1_ssh_agent_t, $1)
-
- # Allow the user shell to signal the ssh program.
- allow $1_t $1_ssh_agent_t:process signal;
# allow ps to show ssh
can_ps($1_t, $1_ssh_agent_t)
@@ -333,12 +351,8 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
- # for ssh-add
- can_unix_connect($1_t, $1_ssh_agent_t)
-
# transition back to normal privs upon exec
domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t)
-
allow $1_ssh_agent_t $1_home_dir_t:dir search;
allow $1_ssh_t $1_tmp_t:sock_file write;
@@ -351,7 +365,7 @@ template(`ssh_per_userdomain_template',`
# Allow the ssh program to communicate with ssh-agent.
allow $1_ssh_t $1_tmp_t:sock_file write;
- allow $1_ssh_t $1_t:unix_stream_socket connectto;
+ allow $1_ssh_t $2:unix_stream_socket connectto;
') dnl endif TODO
')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index c4ada70..7635bb1 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -21,6 +21,12 @@
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the user domain.
+##
+##
+## The role associated with the user domain.
+##
#
template(`authlogin_per_userdomain_template',`
gen_require(`
@@ -38,8 +44,8 @@ template(`authlogin_per_userdomain_template',`
type $1_chkpwd_t, can_read_shadow_passwords;
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
- role $1_r types $1_chkpwd_t;
- role $1_r types system_chkpwd_t;
+ role $3 types $1_chkpwd_t;
+ role $3 types system_chkpwd_t;
allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:process getattr;
@@ -70,16 +76,15 @@ template(`authlogin_per_userdomain_template',`
#can_ldap($1_chkpwd_t)
# Transition from the user domain to this domain.
- domain_auto_trans($1_t,chkpwd_exec_t,$1_chkpwd_t)
+ domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
- allow $1_chkpwd_t $1_t:fd use;
- allow $1_t $1_chkpwd_t:fd use;
- allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
- allow $1_chkpwd_t $1_t:process sigchld;
+ allow $1_chkpwd_t $2:fd use;
+ allow $2 $1_chkpwd_t:fd use;
+ allow $1_chkpwd_t $2:fifo_file rw_file_perms;
+ allow $1_chkpwd_t $2:process sigchld;
# Write to the user domain tty.
- #userdomain_use_$1_terminal($1_chkpwd_t)
- #userdomain_use_$1_pty($1_chkpwd_t)
+ userdom_use_user_terminals($1,$1_chkpwd_t)
# Inherit and use descriptors from gnome-pty-helper.
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
@@ -110,7 +115,6 @@ template(`authlogin_per_userdomain_template',`
optional_policy(`selinuxutil.te',`
seutil_use_newrole_fd($1_chkpwd_t)
')
-
')
########################################
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index d49f4b2..821170f 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -348,6 +348,49 @@ interface(`corecmd_exec_sbin',`
')
########################################
+##
+## Execute a file in a sbin directory
+## in the specified domain.
+##
+##
+##
+## Execute a file in a sbin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+## This interface was added to handle
+## the ssh-agent policy.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+## The type of the new process.
+##
+#
+interface(`corecmd_sbin_domtrans',`
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ class lnk_file { getattr read };
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file { getattr read };
+
+ domain_auto_trans($1,sbin_t,$2)
+')
+
+########################################
#
# corecmd_exec_shell(domain)
#
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7668c03..04a37da 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -114,7 +114,7 @@ template(`base_user_template',`
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
- per_userdomain_templates($1,$1_t)
+ per_userdomain_templates($1,$1_t,$1_r)
kernel_read_kernel_sysctl($1_t)
selinux_get_fs_mount($1_t)
@@ -867,34 +867,67 @@ template(`admin_user_template',`
########################################
##
-## Execute user home files.
+## Read user home files.
##
##
##
-## Execute user home files.
+## Read user home files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
##
## The type of the process performing this action.
##
+#
+template(`userdom_read_user_home_files',`
+ gen_require(`
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir search;
+ allow $2 $1_home_t:file r_file_perms;
+')
+
+########################################
+##
+## Execute user home files.
+##
+##
+##
+## Execute user home files.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_exec_user_home_files',`
gen_require(`
class dir search;
')
- files_search_home($1)
- allow $1 $2_home_dir_t:dir search;
- allow $1 $2_home_t:dir search;
- can_exec($1,$2_home_t)
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir search;
+ can_exec($2,$1_home_t)
')
########################################
@@ -912,13 +945,13 @@ template(`userdom_exec_user_home_files',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_manage_user_home_subdir_files',`
gen_require(`
@@ -926,10 +959,10 @@ template(`userdom_manage_user_home_subdir_files',`
class file create_file_perms;
')
- files_search_home($1)
- allow $1 $2_home_dir_t:dir search;
- allow $1 $2_home_t:dir rw_dir_perms;
- allow $1 $2_home_t:file create_file_perms;
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:file create_file_perms;
')
########################################
@@ -947,13 +980,13 @@ template(`userdom_manage_user_home_subdir_files',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_manage_user_home_subdir_symlinks',`
gen_require(`
@@ -961,10 +994,10 @@ template(`userdom_manage_user_home_subdir_symlinks',`
class lnk_file create_lnk_perms;
')
- files_search_home($1)
- allow $1 $2_home_dir_t:dir search;
- allow $1 $2_home_t:dir rw_dir_perms;
- allow $1 $2_home_t:lnk_file create_lnk_perms;
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:lnk_file create_lnk_perms;
')
########################################
@@ -982,21 +1015,21 @@ template(`userdom_manage_user_home_subdir_symlinks',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
class dir create_dir_perms;
')
- files_search_tmp($1)
- allow $1 $2_tmp_t:dir create_dir_perms;
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir create_dir_perms;
')
########################################
@@ -1014,13 +1047,13 @@ template(`userdom_manage_user_tmp_dirs',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -1028,9 +1061,9 @@ template(`userdom_manage_user_tmp_files',`
class file create_file_perms;
')
- files_search_tmp($1)
- allow $1 $2_tmp_t:dir rw_dir_perms;
- allow $1 $2_tmp_t:file create_file_perms;
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:file create_file_perms;
')
########################################
@@ -1048,13 +1081,13 @@ template(`userdom_manage_user_tmp_files',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -1062,9 +1095,9 @@ template(`userdom_manage_user_tmp_symlinks',`
class lnk_file create_lnk_perms;
')
- files_search_tmp($1)
- allow $1 $2_tmp_t:dir rw_dir_perms;
- allow $1 $2_tmp_t:lnk_file create_lnk_perms;
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:lnk_file create_lnk_perms;
')
########################################
@@ -1082,13 +1115,13 @@ template(`userdom_manage_user_tmp_symlinks',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -1096,9 +1129,9 @@ template(`userdom_manage_user_tmp_pipes',`
class fifo_file create_file_perms;
')
- files_search_tmp($1)
- allow $1 $2_tmp_t:dir rw_dir_perms;
- allow $1 $2_tmp_t:fifo_file create_file_perms;
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:fifo_file create_file_perms;
')
########################################
@@ -1116,13 +1149,13 @@ template(`userdom_manage_user_tmp_pipes',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -1130,9 +1163,9 @@ template(`userdom_manage_user_tmp_sockets',`
class sock_file create_file_perms;
')
- files_search_tmp($1)
- allow $1 $2_tmp_t:dir rw_dir_perms;
- allow $1 $2_tmp_t:sock_file create_file_perms;
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:sock_file create_file_perms;
')
########################################
@@ -1148,22 +1181,22 @@ template(`userdom_manage_user_tmp_sockets',`
## be called from a per-userdomain template.
##
##
-##
-## The type of the process performing this action.
-##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
+##
+## The type of the process performing this action.
+##
#
template(`userdom_use_user_terminals',`
gen_require(`
class chr_file rw_term_perms;
')
- allow $1 $2_tty_device_t:chr_file rw_term_perms;
- allow $1 $2_devpts_t:chr_file rw_term_perms;
- term_list_ptys($1)
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ allow $2 $1_devpts_t:chr_file rw_term_perms;
+ term_list_ptys($2)
')
########################################