1. photon
  2. SPECS
  3. selinux-policy
  4. system-userdomain.patch
Raw Blame History 
From 3c5a91dba9bcd41dd56dd5ef771e30e9e5870481 Mon Sep 17 00:00:00 2001
From: Shreenidhi Shedi <sshedi@vmware.com>
Date: Mon, 28 Mar 2022 20:53:34 +0530
Subject: [PATCH 20/20] system userdomain

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
 policy/modules/system/userdomain.fc | 6 ++++++
 policy/modules/system/userdomain.te | 8 ++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 8a383f6..b068806 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -34,5 +34,11 @@ HOME_DIR/tmp			-d	gen_context(system_u:object_r:user_tmp_t,s0)
 /var/run/user/%{USERID}	-d	gen_context(system_u:object_r:user_tmp_t,s0)
 /var/run/user/%{USERID}/.+	<<none>>
 
+/run/user	-d	gen_context(system_u:object_r:user_tmp_t,s0)
+/run/user/[^/]+	-d	gen_context(system_u:object_r:user_tmp_t,s0)
+/run/user/[^/]+/.+		<<none>>
+/run/user/%{USERID}	-d	gen_context(system_u:object_r:user_tmp_t,s0)
+/run/user/%{USERID}/.+	<<none>>
+
 /tmp/hsperfdata_root        gen_context(system_u:object_r:user_tmp_t,s0)
 /var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3ac8c12..a838fb3 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -98,7 +98,7 @@ files_type(user_devpts_t)
 ubac_constrained(user_devpts_t)
 
 type user_tmp_t, user_tmp_type, user_tmpfs_type;
-typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+typealias user_tmp_t alias { wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
 typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
 typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
 typealias user_tmp_t alias xdm_tmp_t;
@@ -272,7 +272,7 @@ tunable_policy(`use_ecryptfs_home_dirs',`
     fs_manage_ecryptfs_symlinks(userdom_home_manager_type)
 ')
 
-# vi /etc/mtab can cause an avc trying to relabel to self.  
+# vi /etc/mtab can cause an avc trying to relabel to self.
 dontaudit userdomain self:file relabelto;
 
 userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file })
@@ -557,7 +557,7 @@ storage_rw_fuse(confined_admindomain)
 
 init_stream_connect(confined_admindomain)
 # The library functions always try to open read-write first,
-# then fall back to read-only if it fails. 
+# then fall back to read-only if it fails.
 init_dontaudit_rw_utmp(confined_admindomain)
 
 libs_exec_ld_so(confined_admindomain)
@@ -593,7 +593,7 @@ optional_policy(`
 optional_policy(`
 	rpc_rw_gssd_keys(confined_admindomain)
 ')
-	
+
 optional_policy(`
 	ssh_rw_stream_sockets(confined_admindomain)
 	ssh_delete_tmp(confined_admindomain)
-- 
2.35.1