From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 69FDD13829C for ; Thu, 2 Jun 2016 06:32:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A91FF14274; Thu, 2 Jun 2016 06:32:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DBE2214229 for ; Thu, 2 Jun 2016 06:32:15 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E0E01340CA7 for ; Thu, 2 Jun 2016 06:32:14 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 8CBC71F02 for ; Thu, 2 Jun 2016 06:32:11 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1464805207.01647fd1719e35255f0b775ea104c4296696ee1d.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/userdomain.fc policy/modules/system/userdomain.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 01647fd1719e35255f0b775ea104c4296696ee1d X-VCS-Branch: master Date: Thu, 2 Jun 2016 06:32:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 7eff1822-8828-4f90-89ea-2fd5e1ee05bd X-Archives-Hash: 93e00685da41a03fdcfa0aed18472209 commit: 01647fd1719e35255f0b775ea104c4296696ee1d Author: Jason Zaman perfinion com> AuthorDate: Wed Jun 1 16:08:54 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Wed Jun 1 18:20:07 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01647fd1 userdomain: Introduce types for /run/user These are the types for /run/user, analogous to /home's home_root_t and home_dir_t. policy/modules/system/userdomain.fc | 7 +++++++ policy/modules/system/userdomain.te | 15 +++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..0ec8d11 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -2,3 +2,10 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user -d gen_context(system_u:object_r:user_runtime_root_t,s0) +/var/run/user/[^/]+ -d gen_context(system_u:object_r:user_runtime_t,s0) +/var/run/user/[^/]+/.+ -d <> +# new genhomedircon required for these patterns +/var/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_t,s0) +/var/run/user/%{USERID}/.+ <> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 2a36851..8def7fd 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -93,3 +93,18 @@ userdom_user_home_content(user_tmpfs_t) type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + +type user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t) +files_mountpoint(user_runtime_root_t) +files_poly_parent(user_runtime_root_t) + +type user_runtime_t; +fs_associate_tmpfs(user_runtime_t) +files_type(user_runtime_t) +files_mountpoint(user_runtime_t) +files_associate_tmp(user_runtime_t) +files_poly(user_runtime_t) +files_poly_member(user_runtime_t) +files_poly_parent(user_runtime_t) +ubac_constrained(user_runtime_t)