rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   6ab7f464685847712d34bb1069fb11531131d6bc
  2.   policy-rawhide-base-user_tmp.patch
Blob Blame History Raw 
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 32514ee..91a6a37 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -154,7 +154,7 @@ modutils_domtrans_insmod(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 
-userdom_getattr_user_tmpfs_files(bootloader_t)
+userdom_getattr_user_tmp_files(bootloader_t)
 userdom_use_inherited_user_terminals(bootloader_t)
 userdom_dontaudit_search_user_home_dirs(bootloader_t)
 
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 337a00e..87c6145 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5199,6 +5199,7 @@ interface(`files_search_tmp',`
 		type tmp_t;
 	')
 
+    fs_search_tmpfs($1)
 	read_lnk_files_pattern($1, tmp_t, tmp_t)
 	allow $1 tmp_t:dir search_dir_perms;
 ')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index a3fe7f6..13a745c 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -33,7 +33,6 @@ gen_tunable(unconfined_login, true)
 userdom_base_user_template(unconfined)
 userdom_manage_home_role(unconfined_r, unconfined_t)
 userdom_manage_tmp_role(unconfined_r, unconfined_t)
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
 userdom_unpriv_type(unconfined_t)
 
 type unconfined_exec_t;
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index e8dcfa7..eb9cefe 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -219,8 +219,9 @@ template(`ssh_server_template',`
 	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 	term_create_pty($1_t, $1_devpts_t)
 
-	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+	#manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	#fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+    userdom_manage_tmp_role(system_r, sshd_t)
 
 	allow $1_t $1_var_run_t:file manage_file_perms;
 	files_pid_filetrans($1_t, $1_var_run_t, file)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index a8b01bf..fc87b9e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -89,7 +89,7 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
 type ssh_tmpfs_t;
 typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
 typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
-userdom_user_tmpfs_file(ssh_tmpfs_t)
+userdom_user_tmp_file(ssh_tmpfs_t)
 
 type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
@@ -127,7 +127,7 @@ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -292,7 +292,7 @@ auth_exec_login_program(sshd_t)
 
 userdom_read_user_home_content_files(sshd_t)
 userdom_read_user_home_content_symlinks(sshd_t)
-userdom_manage_tmp_role(system_r, sshd_t)
+#userdom_manage_tmp_role(system_r, sshd_t)
 userdom_spec_domtrans_unpriv_users(sshd_t)
 userdom_signal_unpriv_users(sshd_t)
 userdom_dyntransition_unpriv_users(sshd_t)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 4dda124..4eee56a 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -76,10 +76,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 # /tmp
 #
 
-/tmp/\.X0-lock		--	gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.X11-unix(/.*)?		gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.ICE-unix(/.*)?		gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.font-unix(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
+/tmp/\.font-unix(/.*)?      gen_context(system_u:object_r:user_fonts_t,s0)
 
 #
 # /usr
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index bf98136..2469c27 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -220,7 +220,7 @@ interface(`xserver_non_drawing_client',`
 interface(`xserver_user_client',`
 	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
 	gen_require(`
-		type xdm_t, xdm_tmp_t;
+		type xdm_t;
 		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
 	')
 
@@ -235,8 +235,8 @@ interface(`xserver_user_client',`
 	# for when /tmp/.X11-unix is created by the system
 	allow $1 xdm_t:fd use;
 	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-	allow $1 xdm_tmp_t:dir search_dir_perms;
-	allow $1 xdm_tmp_t:sock_file { read write };
+    userdom_search_user_tmp_dirs($1)
+    userdom_rw_user_tmp_sock_files($1)
 	dontaudit $1 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -395,7 +395,7 @@ template(`xserver_object_types_template',`
 #
 template(`xserver_user_x_domain_template',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
+		type xdm_t, xserver_tmpfs_t;
 		type xdm_home_t;
 		type xauth_home_t, iceauth_home_t, xserver_t;
 	')
@@ -413,8 +413,8 @@ template(`xserver_user_x_domain_template',`
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
 	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+    userdom_search_user_tmp_dirs($2)
+    userdom_rw_user_tmp_sock_files($2)
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -429,7 +429,7 @@ template(`xserver_user_x_domain_template',`
 	xserver_ro_session($2, $3)
 	xserver_use_user_fonts($2)
 
-	xserver_read_xdm_tmp_files($2)
+    userdom_read_user_tmp_files($2)
 	xserver_read_xdm_pid($2)
 	xserver_xdm_append_log($2)
 
@@ -817,12 +817,13 @@ interface(`xserver_manage_xdm_spool_files',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t, xdm_var_run_t;
+		type xdm_t, xdm_var_run_t;
 	')
 
 	files_search_tmp($1)
 	files_search_pids($1)
-	stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
+	stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
+    userdom_stream_connect($1)
 ')
 
 ########################################
@@ -934,12 +935,8 @@ interface(`xserver_read_xdm_rw_config',`
 ## </param>
 #
 interface(`xserver_search_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 xdm_tmp_t:dir search_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
+    userdom_search_user_tmp_dirs($1)
 ')
 
 ########################################
@@ -953,11 +950,8 @@ interface(`xserver_search_xdm_tmp_dirs',`
 ## </param>
 #
 interface(`xserver_setattr_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:dir setattr_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
 ')
 
 ########################################
@@ -971,11 +965,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 ## </param>
 #
 interface(`xserver_dontaudit_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
 ')
 
 ########################################
@@ -990,13 +981,8 @@ interface(`xserver_dontaudit_xdm_tmp_dirs',`
 ## </param>
 #
 interface(`xserver_create_xdm_tmp_sockets',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 xdm_tmp_t:dir list_dir_perms;
-	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
+    userdom_create_user_tmp_sockets($1)
 ')
 
 ########################################
@@ -1317,12 +1303,8 @@ interface(`xserver_manage_xdm_etc_files',`
 ## </param>
 #
 interface(`xserver_read_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
+    userdom_read_user_tmpfs_files($1)
 ')
 
 ########################################
@@ -1336,12 +1318,8 @@ interface(`xserver_read_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_dontaudit_read_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-	dontaudit $1 xdm_tmp_t:file read_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
+    userdom_dontaudit_read_user_tmp_files($1)
 ')
 
 ########################################
@@ -1355,12 +1333,8 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_rw_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:dir search_dir_perms;
-	allow $1 xdm_tmp_t:file rw_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
+    userdom_rw_user_tmpfs_files($1)
 ')
 
 ########################################
@@ -1374,11 +1348,8 @@ interface(`xserver_rw_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_manage_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
+    userdom_manage_user_tmp_files($1)
 ')
 
 ########################################
@@ -1392,11 +1363,8 @@ interface(`xserver_manage_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_relabel_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:dir relabel_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
+    userdom_relabel_user_tmp_dirs($1)
 ')
 
 ########################################
@@ -1410,11 +1378,8 @@ interface(`xserver_relabel_xdm_tmp_dirs',`
 ## </param>
 #
 interface(`xserver_manage_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
+    userdom_manage_user_tmp_dirs($1)
 ')
 
 ########################################
@@ -1429,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_dirs',`
 ## </param>
 #
 interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
+    usedom_dontaudit_user_getattr_tmp_sockets($1)
 ')
 
 ########################################
@@ -1946,11 +1908,8 @@ interface(`xserver_xdm_ioctl_log',`
 ## </param>
 #
 interface(`xserver_append_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:file append_inherited_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
+    userdom_append_user_tmp_files($1)
 ')
 
 ########################################
@@ -2296,12 +2255,8 @@ interface(`xserver_filetrans_admin_home_content',`
 ## </param>
 #
 interface(`xserver_xdm_tmp_filetrans',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
-	files_search_tmp($1)
+    refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
+    userdom_user_tmp_filetrans($1,$2, $3, $4)
 ')
 
 ########################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f0e5cc0..e3f28af 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -231,12 +231,6 @@ files_type(xserver_var_lib_t)
 type xserver_var_run_t;
 files_pid_file(xserver_var_run_t)
 
-type xdm_tmp_t;
-files_tmp_file(xdm_tmp_t)
-typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
-typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-userdom_user_tmp_file(xserver_tmp_t)
-
 type xdm_tmpfs_t;
 files_tmpfs_file(xdm_tmpfs_t)
 
@@ -264,7 +258,7 @@ files_config_file(xserver_etc_t)
 type xserver_tmpfs_t;
 typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
 typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
-userdom_user_tmpfs_file(xserver_tmpfs_t)
+userdom_user_tmp_file(xserver_tmpfs_t)
 
 type xsession_exec_t;
 corecmd_executable_file(xsession_exec_t)
@@ -470,14 +464,8 @@ read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
 # this is ugly, daemons should not create files under /etc!
 manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
 
-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
-relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-can_exec(xdm_t, xdm_tmp_t)
+userdom_manage_all_user_tmp_content(xdm_t)
+userdom_exec_user_tmp_files(xdm_t)
 
 manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -697,7 +685,7 @@ userdom_stream_connect(xdm_t)
 userdom_manage_user_tmp_dirs(xdm_t)
 userdom_manage_user_tmp_files(xdm_t)
 userdom_manage_user_tmp_sockets(xdm_t)
-userdom_manage_tmpfs_role(system_r, xdm_t)
+userdom_manage_tmp_role(system_r, xdm_t)
 
 #userdom_home_manager(xdm_t)
 tunable_policy(`xdm_write_home',`
@@ -1349,9 +1337,8 @@ dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
 read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
 
 # Label pid and temporary files with derived types.
-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+userdom_manage_user_tmp_files(xserver_t)
+userdom_manage_user_tmp_sockets(xserver_t)
 
 # Run xkbcomp.
 allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
@@ -1591,7 +1578,6 @@ manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
 
 stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t)
 allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms;
-dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms;
 files_search_tmp(x_userdomain)
 
 # Communicate via System V shared memory.
@@ -1618,10 +1604,9 @@ allow x_userdomain xauth_home_t:file read_file_perms;
 # for when /tmp/.X11-unix is created by the system
 allow x_userdomain xdm_t:fd use;
 allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms;
-allow x_userdomain xdm_tmp_t:dir search_dir_perms;
-allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+userdom_search_user_tmp_dirs(x_userdomain)
+userdom_rw_user_tmp_sock_files(x_userdomain)
 dontaudit x_userdomain xdm_t:tcp_socket { read write };
-dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms;
 
 allow x_userdomain xdm_t:dbus send_msg;
 allow xdm_t  x_userdomain:dbus send_msg;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 1259fbd..5e66714 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -553,7 +553,7 @@ logging_manage_all_logs(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_search_user_home_dirs(syslogd_t)
-userdom_rw_inherited_user_tmpfs_files(syslogd_t)
+userdom_rw_inherited_user_tmp_files(syslogd_t)
 
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 00b82b3..9933cad 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -413,7 +413,7 @@ allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
 manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
 manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
 fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
-userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
+userdom_rw_user_tmp_files(mount_ecryptfs_t)
 
 domain_use_interactive_fds(mount_ecryptfs_t)
 
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 4ca3a28..8f5380f 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -21,6 +21,12 @@ HOME_DIR/\.texlive2012(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
 HOME_DIR/\.texlive2013(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
 HOME_DIR/\.texlive2014(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
 
+/tmp/\.X0-lock		--	gen_context(system_u:object_r:user_tmp_t,s0)
+/tmp/\.X11-unix(/.*)?		gen_context(system_u:object_r:user_tmp_t,s0)
+/tmp/\.ICE-unix(/.*)?		gen_context(system_u:object_r:user_tmp_t,s0)
+
+
+
 /var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 
 /tmp/hsperfdata_root        gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 102478f..4f42aa5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -420,6 +420,7 @@ interface(`userdom_manage_tmp_role',`
 	manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
 	manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
 	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+    fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
 	relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
 	relabel_files_pattern($2, user_tmp_type, user_tmp_type)
 	relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
@@ -427,8 +428,6 @@ interface(`userdom_manage_tmp_role',`
 	relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
 ')
 
-
-
 #######################################
 ## <summary>
 ##	Dontaudit search of user bin dirs.
@@ -534,24 +533,8 @@ interface(`userdom_manage_tmpfs_files',`
 ## <rolecap/>
 #
 interface(`userdom_manage_tmpfs_role',`
-	gen_require(`
-		attribute user_tmpfs_type;
-		type user_tmpfs_t;
-	')
-
-	role $1 types user_tmpfs_t;
-
-	manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-	relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
+    userdom_manage_tmp_role($1,$2)
 ')
 
 #######################################
@@ -994,7 +977,6 @@ template(`userdom_login_user_template', `
 	userdom_manage_home_role($1_r, $1_t)
 
 	userdom_manage_tmp_role($1_r, $1_usertype)
-	userdom_manage_tmpfs_role($1_r, $1_usertype)
 
 	ifelse(`$1',`unconfined',`',`
 		gen_tunable($1_exec_content, true)
@@ -1839,8 +1821,8 @@ interface(`userdom_user_tmp_file',`
 ## </param>
 #
 interface(`userdom_user_tmpfs_file',`
-	files_tmpfs_file($1)
-	ubac_constrained($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
+    userdom_user_tmp_file($1)
 ')
 
 ########################################
@@ -1878,14 +1860,8 @@ interface(`userdom_user_tmp_content',`
 ## </param>
 #
 interface(`userdom_user_tmpfs_content',`
-	gen_require(`
-		attribute user_tmpfs_type;
-	')
-
-	typeattribute $1 user_tmpfs_type;
-
-	files_tmpfs_file($1)
-	ubac_constrained($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
+    userdom_user_tmp_content($1)
 ')
 
 ########################################
@@ -2400,6 +2376,43 @@ interface(`userdom_setattr_user_tmp_files',`
 
 ########################################
 ## <summary>
+##	Create a user tmp sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_user_tmp_sockets',`
+    gen_require(`
+        type user_tmp_t;
+    ')
+
+    files_search_tmp($1)
+    allow $1 user_tmp_t:dir list_dir_perms;
+    create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr on user tmp sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+    gen_require(`
+        type user_tmp_t;
+    ')
+    dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel user tmp files.
 ## </summary>
 ## <param name="domain">
@@ -2416,6 +2429,26 @@ interface(`userdom_relabel_user_tmp_files',`
 
 	allow $1 user_tmp_t:file relabel_file_perms;
 ')
+
+########################################
+## <summary>
+##	Relabel user tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_relabel_user_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:dir relabel_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the
@@ -3068,6 +3101,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
+interface(`userdom_getattr_user_tmp_files',`
+	gen_require(`
+		attribute user_tmp_type;
+	')
+
+	getattr_files_pattern($1, user_tmp_type, user_tmp_type)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Read user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`userdom_read_user_tmp_files',`
 	gen_require(`
 		attribute user_tmp_type;
@@ -3080,6 +3132,23 @@ interface(`userdom_read_user_tmp_files',`
 
 ########################################
 ## <summary>
+##	Read user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_append_user_tmp_files',`
+    gen_require(`
+        type user_tmp_t;
+    ')
+    allow $1 user_tmp_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read users
 ##	temporary files.
 ## </summary>
@@ -3135,6 +3204,25 @@ interface(`userdom_rw_user_tmp_files',`
 	rw_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
 ')
+########################################
+## <summary>
+##	Read and write user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_user_tmp_sock_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:dir list_dir_perms;
+    allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
+	files_search_tmp($1)
+')
 
 ########################################
 ## <summary>
@@ -3372,12 +3460,8 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 ## </param>
 #
 interface(`userdom_getattr_user_tmpfs_files',`
-    gen_require(`
-        type user_tmpfs_t;
-    ')
-
-    getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-    fs_search_tmpfs($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
+    userdom_getattr_user_tmp_files($1)
 ')
 
 ########################################
@@ -3391,14 +3475,8 @@ interface(`userdom_getattr_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_read_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	allow $1 user_tmpfs_t:dir list_dir_perms;
-	fs_search_tmpfs($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
+    userdom_read_user_tmp_files($1)
 ')
 
 ########################################
@@ -3412,14 +3490,8 @@ interface(`userdom_read_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_rw_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	allow $1 user_tmpfs_t:dir list_dir_perms;
-	fs_search_tmpfs($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
+    userdom_rw_user_tmp_files($1)
 ')
 
 ########################################
@@ -3433,11 +3505,8 @@ interface(`userdom_rw_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_rw_inherited_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	allow $1 user_tmpfs_t:file rw_inherited_file_perms;
+    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
+    userdom_rw_inherited_user_tmp_files($1)
 ')
 
 ########################################
@@ -3451,11 +3520,26 @@ interface(`userdom_rw_inherited_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_execute_user_tmpfs_files',`
+    refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
+    userdom_execute_user_tmp_files($1)
+')
+
+########################################
+## <summary>
+##	Execute user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_execute_user_tmp_files',`
 	gen_require(`
-		type user_tmpfs_t;
+		type user_tmp_t;
 	')
 
-	allow $1 user_tmpfs_t:file execute;
+	allow $1 user_tmp_t:file execute;
 ')
 
 ########################################
@@ -5208,16 +5292,8 @@ interface(`userdom_list_all_user_tmp_content',`
 ## </param>
 #
 interface(`userdom_manage_all_user_tmpfs_content',`
-	gen_require(`
-		attribute user_tmpfs_type;
-	')
-
-	manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	fs_search_tmpfs($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')    
+    userdom_manage_all_user_tmp_content($1)
 ')
 
 ########################################
@@ -5431,11 +5507,8 @@ interface(`userdom_dontaudit_setattr_user_tmp',`
 ## </param>
 #
 interface(`userdom_dontaudit_setattr_user_tmpfs',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	dontaudit $1 user_tmpfs_t:file setattr;
+    refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
 ')
 
 ########################################
@@ -5539,11 +5612,8 @@ interface(`userdom_delete_user_tmp_files',`
 ## </param>
 #
 interface(`userdom_delete_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	allow $1 user_tmpfs_t:file delete_file_perms;
+    refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.')
+    userdom_delete_user_tmpfs_files($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 7283238..6cc7d53 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -97,19 +97,18 @@ dev_node(user_devpts_t)
 files_type(user_devpts_t)
 ubac_constrained(user_devpts_t)
 
-type user_tmp_t, user_tmp_type;
+type user_tmp_t, user_tmp_type, user_tmpfs_type;
 typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
 typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
+typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+typealias user_tmp_t alias xdm_tmp_t;
+typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
 files_tmp_file(user_tmp_t)
+files_tmpfs_file(user_tmp_t)
 userdom_user_home_content(user_tmp_t)
 files_poly_parent(user_tmp_t)
 files_mountpoint(user_tmp_t)
 
-type user_tmpfs_t, user_tmpfs_type;
-typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
-files_tmpfs_file(user_tmpfs_t)
-userdom_user_home_content(user_tmpfs_t)
-
 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
 dev_node(user_tty_device_t)
 ubac_constrained(user_tty_device_t)
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.