diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if index 5ad0661..3d604ad 100644 --- a/refpolicy/policy/modules/apps/irc.if +++ b/refpolicy/policy/modules/apps/irc.if @@ -65,7 +65,7 @@ template(`irc_per_userdomain_template',` allow $1_irc_t $1_irc_home_t:dir create_dir_perms; allow $1_irc_t $1_irc_home_t:file create_file_perms; allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms; - userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t) + userdom_filetrans_user_home_dir($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file }) # access files under /tmp allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms; diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index b390cb4..e99d538 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -126,12 +126,12 @@ template(`java_per_userdomain_template',` userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t) userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t) - userdom_create_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file },$1_home_t) userdom_manage_user_home_subdirs($1,$1_javaplugin_t) userdom_manage_user_home_subdir_files($1,$1_javaplugin_t) userdom_manage_user_home_subdir_symlinks($1,$1_javaplugin_t) userdom_manage_user_home_subdir_pipes($1,$1_javaplugin_t) userdom_manage_user_home_subdir_sockets($1,$1_javaplugin_t) + userdom_filetrans_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file }) # libdeploy.so legacy tunable_policy(`allow_execmem',` diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 66caebb..fa0d30c 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -142,7 +142,7 @@ template(`cron_per_userdomain_template',` userdom_manage_user_home_subdir_symlinks($1,$1_crond_t) userdom_manage_user_home_subdir_pipes($1,$1_crond_t) userdom_manage_user_home_subdir_sockets($1,$1_crond_t) -# userdom_create_user_home($1,$1_crond_t,notdevfile_class_set) +# userdom_filetrans_user_home($1,$1_crond_t,notdevfile_class_set) tunable_policy(`fcron_crond', ` allow crond_t $1_cron_spool_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 743dae1..75a112d 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -159,7 +159,7 @@ ifdef(`targeted_policy',` userdom_manage_user_home_subdir_symlinks(user,crond_t) userdom_manage_user_home_subdir_pipes(user,crond_t) userdom_manage_user_home_subdir_sockets(user,crond_t) - userdom_create_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file }) + userdom_filetrans_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file }) allow crond_t unconfined_t:dbus send_msg; allow crond_t initrc_t:dbus send_msg; diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if index bf1c3dd..ccd4b4d 100644 --- a/refpolicy/policy/modules/services/ftp.if +++ b/refpolicy/policy/modules/services/ftp.if @@ -22,16 +22,12 @@ ## # template(`ftp_per_userdomain_template',` - gen_require(` - type ftpd_t; - ') - tunable_policy(`ftpd_is_daemon',` userdom_manage_user_home_subdir_files($1,ftpd_t) userdom_manage_user_home_subdir_symlinks($1,ftpd_t) userdom_manage_user_home_subdir_sockets($1,ftpd_t) userdom_manage_user_home_subdir_pipes($1,ftpd_t) - userdom_create_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_filetrans_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ') diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 7ffe9f6..a4bf5d9 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -142,7 +142,7 @@ ifdef(`targeted_policy',` userdom_manage_user_home_subdir_symlinks(user,ftpd_t) userdom_manage_user_home_subdir_sockets(user,ftpd_t) userdom_manage_user_home_subdir_pipes(user,ftpd_t) - userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_filetrans_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ') ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 5e1384e..1b0eeaa 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -36,11 +36,6 @@ interface(`mta_stub',` # template(`mta_base_mail_template',` - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - ############################## # # $1_mail_t declarations @@ -175,11 +170,11 @@ template(`mta_base_mail_template',` ## # template(`mta_per_userdomain_template',` - gen_require(` - attribute mailserver_domain, mta_user_agent; - attribute mailserver_delivery, user_mail_domain; - type sendmail_exec_t; - ') + + ############################## + # + # Declarations + # mta_base_mail_template($1) role $3 types $1_mail_t; @@ -210,7 +205,7 @@ template(`mta_per_userdomain_template',` userdom_use_user_terminals($1,mta_user_agent) # Create dead.letter in user home directories. userdom_manage_user_home_subdir_files($1,$1_mail_t) - userdom_create_user_home($1,$1_mail_t,file) + userdom_filetrans_user_home($1,$1_mail_t,file) # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir userdom_manage_user_home_subdirs($1,mailserver_delivery) @@ -218,7 +213,7 @@ template(`mta_per_userdomain_template',` userdom_manage_user_home_subdir_symlinks($1,mailserver_delivery) userdom_manage_user_home_subdir_pipes($1,mailserver_delivery) userdom_manage_user_home_subdir_sockets($1,mailserver_delivery) - userdom_create_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) + userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_mail_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 9bc6a3f..64f5ed8 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -79,7 +79,7 @@ ifdef(`targeted_policy',` userdom_manage_user_home_subdir_symlinks(user,mailserver_delivery) userdom_manage_user_home_subdir_pipes(user,mailserver_delivery) userdom_manage_user_home_subdir_sockets(user,mailserver_delivery) - userdom_create_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) + userdom_filetrans_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) # cjp: another require-in-else to resolve # optional_policy(`postfix',`',` diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index 34a7cad..be06290 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -26,16 +26,12 @@ ## # template(`samba_per_userdomain_template',` - gen_require(` - type smbd_t; - ') - tunable_policy(`samba_enable_home_dirs',` userdom_manage_user_home_subdir_files($1,smbd_t) userdom_manage_user_home_subdir_symlinks($1,smbd_t) userdom_manage_user_home_subdir_sockets($1,smbd_t) userdom_manage_user_home_subdir_pipes($1,smbd_t) - userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_filetrans_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) ') ') diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index 1d7aca6..db5a792 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -28,10 +28,11 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. template(`spamassassin_per_userdomain_template',` - gen_require(` - type spamd_t, spamd_tmp_t; - type spamc_exec_t, spamassassin_exec_t; - ') + + ############################## + # + # Declarations + # type $1_spamc_t; domain_type($1_spamc_t) @@ -194,7 +195,7 @@ template(`spamassassin_per_userdomain_template',` allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms; allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms; allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms; - userdom_create_user_home($1,$1_spamassassin_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t) + userdom_filetrans_user_home_dir($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms; allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms; @@ -215,7 +216,7 @@ template(`spamassassin_per_userdomain_template',` allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms; allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms; allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms; - userdom_create_user_home($1,spamd_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t) + userdom_filetrans_user_home_dir($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls($1_spamassassin_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 3212b7d..9e86216 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1569,12 +1569,15 @@ template(`userdom_manage_user_home_subdir_sockets',` ######################################## ## -## +## Create objects in a user home directory +## with an automatic type transition to +## a specified private type. ## ## ##

-## Create, read, write, and delete named sockets -## in a user home subdirectory. +## Create objects in a user home directory +## with an automatic type transition to +## a specified private type. ##

##

## This is a templated interface, and should only @@ -1588,49 +1591,35 @@ template(`userdom_manage_user_home_subdir_sockets',` ## ## Domain allowed access. ## -## +## +## The type of the object to create. +## +## ## The class of the object to be created. If not ## specified, file is used. ## -## -## The type of the object to create. If this is -## not specified, the regular home directory -## type is used. -## # -template(`userdom_create_user_home',` +template(`userdom_filetrans_user_home_dir',` gen_require(` - type $1_home_dir_t, $1_home_t; + type $1_home_dir_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir rw_dir_perms; - - ifelse(`$4',`',` - ifelse(`$3',`',` - type_transition $2 $1_home_dir_t:file $1_home_t; - ',` - type_transition $2 $1_home_dir_t:$3 $1_home_t; - ') - ',` - ifelse(`$3',`',` - type_transition $2 $1_home_dir_t:file $4; - ',` - type_transition $2 $1_home_dir_t:$3 $4; - ') - ') + type_transition $2 $1_home_dir_t:$4 $3; ') ######################################## ##

-## Create objects in a user home directory with -## a type transition to a specified type. +## Create objects in a user home directory +## with an automatic type transition to +## the user home file type. ## ## ##

-## Create objects in a user home directory with -## a type transition to a specified type. +## Create objects in a user home directory +## with an automatic type transition to +## the user home file type. ##

##

## This is a templated interface, and should only @@ -1644,25 +1633,19 @@ template(`userdom_create_user_home',` ## ## Domain allowed access. ## -## -## The type of the object to create. If this is -## not specified, the regular home directory -## type is used. -## ## ## The class of the object to be created. If not ## specified, file is used. ## # -template(`userdom_filetrans_user_home_dir',` +template(`userdom_filetrans_user_home',` gen_require(` type $1_home_dir_t, $1_home_t; ') files_search_home($2) allow $2 $1_home_dir_t:dir rw_dir_perms; - - type_transition $2 $1_home_dir_t:$4 $3; + type_transition $2 $1_home_dir_t:$3 $1_home_t; ') ########################################