From 3c5a91dba9bcd41dd56dd5ef771e30e9e5870481 Mon Sep 17 00:00:00 2001 From: Shreenidhi Shedi <sshedi@vmware.com> Date: Mon, 28 Mar 2022 20:53:34 +0530 Subject: [PATCH 20/20] system userdomain Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com> --- policy/modules/system/userdomain.fc | 6 ++++++ policy/modules/system/userdomain.te | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index 8a383f6..b068806 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -34,5 +34,11 @@ HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0) /var/run/user/%{USERID} -d gen_context(system_u:object_r:user_tmp_t,s0) /var/run/user/%{USERID}/.+ <<none>> +/run/user -d gen_context(system_u:object_r:user_tmp_t,s0) +/run/user/[^/]+ -d gen_context(system_u:object_r:user_tmp_t,s0) +/run/user/[^/]+/.+ <<none>> +/run/user/%{USERID} -d gen_context(system_u:object_r:user_tmp_t,s0) +/run/user/%{USERID}/.+ <<none>> + /tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) /var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 3ac8c12..a838fb3 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -98,7 +98,7 @@ files_type(user_devpts_t) ubac_constrained(user_devpts_t) type user_tmp_t, user_tmp_type, user_tmpfs_type; -typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; +typealias user_tmp_t alias { wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; typealias user_tmp_t alias xdm_tmp_t; @@ -272,7 +272,7 @@ tunable_policy(`use_ecryptfs_home_dirs',` fs_manage_ecryptfs_symlinks(userdom_home_manager_type) ') -# vi /etc/mtab can cause an avc trying to relabel to self. +# vi /etc/mtab can cause an avc trying to relabel to self. dontaudit userdomain self:file relabelto; userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file }) @@ -557,7 +557,7 @@ storage_rw_fuse(confined_admindomain) init_stream_connect(confined_admindomain) # The library functions always try to open read-write first, -# then fall back to read-only if it fails. +# then fall back to read-only if it fails. init_dontaudit_rw_utmp(confined_admindomain) libs_exec_ld_so(confined_admindomain) @@ -593,7 +593,7 @@ optional_policy(` optional_policy(` rpc_rw_gssd_keys(confined_admindomain) ') - + optional_policy(` ssh_rw_stream_sockets(confined_admindomain) ssh_delete_tmp(confined_admindomain) -- 2.35.1