Changeset 2822

Show
Ignore:
Timestamp:
10/01/08 14:52:21 (2 months ago)
Author:
cpebenito
Message:

rbacsep: apply ubac exemptions where necessary.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/rbacsep/policy/constraints

    r2759 r2822  
    108108# 
    109109 
    110 basic_ubac_constraint(fd) 
     110exempted_ubac_constraint(fd, ubacfd) 
    111111 
    112112######################################## 

  • branches/rbacsep/policy/modules/admin/sudo.if

    r2759 r2822  
    118118        userdom_manage_user_tmp_symlinks($1_sudo_t) 
    119119        userdom_use_user_terminals($1_sudo_t) 
    120         userdom_use_unpriv_users_fds($1_sudo_t) 
    121120        # for some PAM modules and for cwd 
    122121        userdom_dontaudit_search_user_home_content($1_sudo_t) 

  • branches/rbacsep/policy/modules/admin/usermanage.te

    r2782 r2822  
    504504userdom_use_unpriv_users_fds(useradd_t) 
    505505# Add/remove user home directories 
    506 userdom_manage_all_users_home_content_dirs(useradd_t) 
    507 userdom_manage_all_users_home_content_files(useradd_t) 
     506userdom_manage_user_home_content_dirs(useradd_t) 
     507userdom_manage_user_home_content_files(useradd_t) 
    508508unprivuser_home_filetrans_home_dir(useradd_t) 
    509509unprivuser_home_dir_filetrans_home_content(useradd_t, notdevfile_class_set) 

  • branches/rbacsep/policy/modules/apps/rssh.if

    r2821 r2822  
    5858## </param> 
    5959# 
    60 interface(`rssh_read_all_users_ro_content',` 
     60interface(`rssh_read_user_ro_content',` 
    6161        gen_require(` 
    6262                type rssh_ro_t; 
     
    6666        read_files_pattern($1, rssh_ro_t, rssh_ro_t) 
    6767        read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t) 
    68         refpolicywarn(`$0() and/or $1 needs to be exempt on files.') 
    6968') 

  • branches/rbacsep/policy/modules/apps/rssh.te

    r2790 r2822  
    7777miscfiles_read_localization(rssh_t) 
    7878 
    79 userdom_use_unpriv_users_fds(rssh_t) 
    80  
    8179ssh_rw_tcp_sockets(rssh_t) 
    8280ssh_rw_stream_sockets(rssh_t) 

  • branches/rbacsep/policy/modules/apps/userhelper.if

    r2759 r2822  
    138138        seutil_read_default_contexts($1_userhelper_t) 
    139139 
    140         userdom_use_unpriv_users_fds($1_userhelper_t) 
    141140        # Allow $1_userhelper_t to transition to user domains. 
    142141        userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) 

  • branches/rbacsep/policy/modules/apps/vmware.te

    r2790 r2822  
    247247 
    248248userdom_use_user_terminals(vmware_t) 
    249 userdom_use_unpriv_users_fds(vmware_t) 
    250249userdom_list_user_home_dirs(vmware_t) 
    251250# cjp: why? 

  • branches/rbacsep/policy/modules/apps/yam.te

    r2782 r2822  
    102102# Reading dotfiles... 
    103103# cjp: ? 
    104 userdom_search_all_users_home_dirs(yam_t) 
     104userdom_search_user_home_dirs(yam_t) 
    105105 
    106106# The whole point of this program is to make updates available on a 

  • branches/rbacsep/policy/modules/kernel/ubac.if

    r2759 r2822  
    2626 
    2727        typeattribute $1 ubacproc; 
     28') 
     29 
     30interface(`ubac_fd_exempt',` 
     31        gen_require(` 
     32                attribute ubacfd; 
     33        ') 
     34 
     35        typeattribute $1 ubacfd; 
    2836') 
    2937 

  • branches/rbacsep/policy/modules/kernel/ubac.te

    r2759 r2822  
    1212attribute ubacproc; 
    1313attribute ubacsock; 
     14attribute ubacfd; 
    1415attribute ubacipc; 
    1516attribute ubacxwin; 

  • branches/rbacsep/policy/modules/roles/auditadm.te

    r2784 r2822  
    170170 
    171171optional_policy(` 
     172        vmware_role(auditadm_r, auditadm_t) 
     173') 
     174 
     175optional_policy(` 
    172176        wireshark_role(auditadm_r, auditadm_t) 
    173177') 

  • branches/rbacsep/policy/modules/roles/secadm.te

    r2784 r2822  
    187187 
    188188optional_policy(` 
     189        vmware_role(secadm_r, secadm_t) 
     190') 
     191 
     192optional_policy(` 
    189193        wireshark_role(secadm_r, secadm_t) 
    190194') 

  • branches/rbacsep/policy/modules/roles/staff.te

    r2784 r2822  
    154154 
    155155optional_policy(` 
     156        vmware_role(staff_r, staff_t) 
     157') 
     158 
     159optional_policy(` 
    156160        wireshark_role(staff_r, staff_t) 
    157161') 

  • branches/rbacsep/policy/modules/roles/sysadm.te

    r2784 r2822  
    3131mls_process_read_up(sysadm_t) 
    3232 
     33ubac_process_exempt(sysadm_t) 
     34ubac_file_exempt(sysadm_t) 
     35ubac_fd_exempt(sysadm_t) 
     36 
    3337init_exec(sysadm_t) 
    34  
    35 # For sending reboot and wall messages 
    36 userdom_use_unpriv_users_ptys(sysadm_t) 
    37 userdom_use_user_ttys(sysadm_t) 
    3838 
    3939ifdef(`direct_sysadm_daemon',` 
     
    234234optional_policy(` 
    235235        lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) 
    236         lpr_admin_template(sysadm) 
    237236        lpd_role(sysadm_r, sysadm_t) 
    238237') 
     
    425424 
    426425optional_policy(` 
     426        vmware_role(sysadm_r, sysadm_t) 
     427') 
     428 
     429optional_policy(` 
    427430        vpn_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) 
    428431') 

  • branches/rbacsep/policy/modules/roles/unprivuser.te

    r2784 r2822  
    139139 
    140140optional_policy(` 
     141        vmware_role(user_r, user_t) 
     142') 
     143 
     144optional_policy(` 
    141145        wireshark_role(user_r, user_t) 
    142146') 

  • branches/rbacsep/policy/modules/services/apache.te

    r2790 r2822  
    418418 
    419419tunable_policy(`httpd_enable_homedirs',` 
    420         userdom_read_unpriv_users_home_content_files(httpd_t) 
     420        userdom_read_user_home_content_files(httpd_t) 
    421421') 
    422422 
     
    661661 
    662662tunable_policy(`httpd_enable_homedirs',` 
    663         userdom_read_unpriv_users_home_content_files(httpd_suexec_t) 
     663        userdom_read_user_home_content_files(httpd_suexec_t) 
    664664') 
    665665 
     
    719719 
    720720tunable_policy(`httpd_enable_homedirs',` 
    721         userdom_read_unpriv_users_home_content_files(httpd_sys_script_t) 
     721        userdom_read_user_home_content_files(httpd_sys_script_t) 
    722722') 
    723723 

  • branches/rbacsep/policy/modules/services/courier.te

    r2820 r2822  
    6868 
    6969# should not be needed! 
    70 userdom_search_unpriv_users_home_dirs(courier_authdaemon_t) 
     70userdom_search_user_home_dirs(courier_authdaemon_t) 
    7171 
    7272courier_domtrans_pop(courier_authdaemon_t) 
     
    101101 
    102102# do the actual work (read the Maildir) 
    103 userdom_manage_unpriv_users_home_content_files(courier_pop_t) 
     103userdom_manage_user_home_content_files(courier_pop_t) 
    104104# cjp: the fact that this is different for pop vs imap means that 
    105105# there should probably be a courier_pop_t and courier_imap_t 
    106106# this should also probably be a separate type too instead of 
    107107# the regular home dir 
    108 userdom_manage_unpriv_users_home_content_dirs(courier_pop_t) 
     108userdom_manage_user_home_content_dirs(courier_pop_t) 
    109109 
    110110######################################## 

  • branches/rbacsep/policy/modules/services/cron.te

    r2790 r2822  
    209209userdom_use_unpriv_users_fds(crond_t) 
    210210# Not sure why this is needed 
    211 userdom_list_all_users_home_dirs(crond_t) 
     211userdom_list_user_home_dirs(crond_t) 
    212212 
    213213mta_send_mail(crond_t) 
     
    476476optional_policy(` 
    477477        unconfined_domain(system_cronjob_t) 
    478  
    479         userdom_priveleged_home_dir_manager(system_cronjob_t) 
     478        userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) 
    480479') 
    481480 

  • branches/rbacsep/policy/modules/services/dovecot.te

    r2782 r2822  
    114114 
    115115userdom_dontaudit_use_unpriv_user_fds(dovecot_t) 
    116 userdom_priveleged_home_dir_manager(dovecot_t) 
     116userdom_manage_user_home_content_dirs(dovecot_t) 
     117userdom_manage_user_home_content_files(dovecot_t) 
     118userdom_manage_user_home_content_symlinks(dovecot_t) 
     119userdom_manage_user_home_content_pipes(dovecot_t) 
     120userdom_manage_user_home_content_sockets(dovecot_t) 
     121userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) 
    117122 
    118123mta_manage_spool(dovecot_t) 

  • branches/rbacsep/policy/modules/services/exim.te

    r2782 r2822  
    111111 
    112112tunable_policy(`exim_read_user_files',` 
    113         userdom_read_unpriv_users_home_content_files(exim_t) 
     113        userdom_read_user_home_content_files(exim_t) 
    114114        userdom_read_user_tmp_files(exim_t) 
    115115') 
    116116 
    117117tunable_policy(`exim_manage_user_files',` 
    118         userdom_manage_unpriv_users_home_content_dirs(exim_t) 
     118        userdom_manage_user_home_content_dirs(exim_t) 
    119119        userdom_read_user_tmp_files(exim_t) 
    120120        userdom_write_user_tmp_files(exim_t) 

  • branches/rbacsep/policy/modules/services/finger.te

    r2745 r2822  
    9494# stop it accessing sub-directories, prevents checking a Maildir for new mail, 
    9595# have to change this when we create a type for Maildir 
    96 userdom_read_unpriv_users_home_content_files(fingerd_t) 
     96userdom_read_user_home_content_files(fingerd_t) 
    9797userdom_dontaudit_use_unpriv_user_fds(fingerd_t) 
    9898 

  • branches/rbacsep/policy/modules/services/ftp.te

    r2782 r2822  
    216216        # allow access to /home 
    217217        files_list_home(ftpd_t) 
    218         userdom_read_all_users_home_content_files(ftpd_t) 
    219         userdom_manage_all_users_home_content_dirs(ftpd_t) 
    220         userdom_manage_all_users_home_content_files(ftpd_t) 
    221         userdom_manage_all_users_home_content_symlinks(ftpd_t) 
     218        userdom_read_user_home_content_files(ftpd_t) 
     219        userdom_manage_user_home_content_dirs(ftpd_t) 
     220        userdom_manage_user_home_content_files(ftpd_t) 
     221        userdom_manage_user_home_content_symlinks(ftpd_t) 
    222222        userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) 
    223223') 

  • branches/rbacsep/policy/modules/services/i18n_input.te

    r2782 r2822  
    7878 
    7979userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) 
    80 userdom_read_unpriv_users_home_content_files(i18n_input_t) 
     80userdom_read_user_home_content_files(i18n_input_t) 
    8181 
    8282sysadm_dontaudit_search_home_dirs(i18n_input_t) 

  • branches/rbacsep/policy/modules/services/lpd.if

    r2821 r2822  
    11## <summary>Line printer daemon</summary> 
    2  
    3 ####################################### 
    4 ## <summary> 
    5 ##      The administrative functions template for the lpd module. 
    6 ## </summary> 
    7 ## <desc> 
    8 ##      <p> 
    9 ##      This template creates rules for administrating the ldp service, 
    10 ##      allowing the specified user to manage lpr files. 
    11 ##      </p> 
    12 ## </desc> 
    13 ## <param name="userdomain_prefix"> 
    14 ##      <summary> 
    15 ##      The prefix of the user domain (e.g., user 
    16 ##      is the prefix for user_t). 
    17 ##      </summary> 
    18 ## </param> 
    19 ## <rolecap/> 
    20 # 
    21 template(`lpr_admin_template',` 
    22         gen_require(` 
    23                 type $1_lpr_t; 
    24                 type print_spool_t; 
    25         ') 
    26  
    27         userdom_read_all_users_home_content_files($1_lpr_t) 
    28  
    29         # Read and write shared files in the spool directory. 
    30         allow $1_lpr_t print_spool_t:file rw_file_perms; 
    31 ') 
    322 
    333######################################## 

  • branches/rbacsep/policy/modules/services/networkmanager.te

    r2820 r2822  
    133133userdom_dontaudit_use_user_ttys(NetworkManager_t) 
    134134# Read gnome-keyring 
    135 userdom_read_unpriv_users_home_content_files(NetworkManager_t) 
     135userdom_read_user_home_content_files(NetworkManager_t) 
    136136 
    137137sysadm_dontaudit_search_home_dirs(NetworkManager_t) 

  • branches/rbacsep/policy/modules/services/openvpn.te

    r2782 r2822  
    9898 
    9999tunable_policy(`openvpn_enable_homedirs',` 
    100         userdom_read_unpriv_users_home_content_files(openvpn_t) 
     100        userdom_read_user_home_content_files(openvpn_t) 
    101101') 
    102102 

  • branches/rbacsep/policy/modules/services/portslave.te

    r2782 r2822  
    9999userdom_use_unpriv_users_fds(portslave_t) 
    100100# for ~/.ppprc - if it actually exists then you need some policy to read it 
    101 userdom_search_all_users_home_dirs(portslave_t) 
     101userdom_search_user_home_dirs(portslave_t) 
    102102 
    103103mta_send_mail(portslave_t) 

  • branches/rbacsep/policy/modules/services/ppp.te

    r2820 r2822  
    178178userdom_dontaudit_use_unpriv_user_fds(pppd_t) 
    179179# for ~/.ppprc - if it actually exists then you need some policy to read it 
    180 #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; 
    181 userdom_search_unpriv_users_home_dirs(pppd_t) 
     180userdom_search_user_home_dirs(pppd_t) 
    182181 
    183182ppp_exec(pppd_t) 

  • branches/rbacsep/policy/modules/services/procmail.te

    r2782 r2822  
    7474 
    7575# only works until we define a different type for maildir 
    76 userdom_priveleged_home_dir_manager(procmail_t) 
     76userdom_manage_user_home_content_dirs(procmail_t) 
     77userdom_manage_user_home_content_files(procmail_t) 
     78userdom_manage_user_home_content_symlinks(procmail_t) 
     79userdom_manage_user_home_content_pipes(procmail_t) 
     80userdom_manage_user_home_content_sockets(procmail_t) 
     81userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) 
    7782 
    7883# Do not audit attempts to access /root. 

  • branches/rbacsep/policy/modules/services/razor.if

    r2821 r2822  
    100100        sysnet_dns_name_resolve($1_t) 
    101101 
    102         userdom_use_unpriv_users_fds($1_t) 
    103  
    104102        optional_policy(` 
    105103                nis_use_ypbind($1_t) 

  • branches/rbacsep/policy/modules/services/razor.te

    r2790 r2822  
    7373sysnet_read_config(system_razor_t) 
    7474 
     75# cjp: this shouldn't be needed 
     76userdom_use_unpriv_users_fds(system_razor_t) 
     77 
    7578optional_policy(` 
    7679        logging_send_syslog_msg(system_razor_t) 

  • branches/rbacsep/policy/modules/services/remotelogin.te

    r2782 r2822  
    8787 
    8888userdom_use_unpriv_users_fds(remote_login_t) 
    89 userdom_search_all_users_home_content(remote_login_t) 
     89userdom_search_user_home_content(remote_login_t) 
    9090# Only permit unprivileged user domains to be entered via rlogin, 
    9191# since very weak authentication is used. 

  • branches/rbacsep/policy/modules/services/rlogin.te

    r2782 r2822  
    8787seutil_read_config(rlogind_t) 
    8888 
    89 userdom_setattr_unpriv_users_ptys(rlogind_t) 
     89userdom_setattr_user_ptys(rlogind_t) 
    9090# cjp: this is egregious 
    91 userdom_read_all_users_home_content_files(rlogind_t) 
     91userdom_read_user_home_content_files(rlogind_t) 
    9292 
    9393remotelogin_domtrans(rlogind_t) 

  • branches/rbacsep/policy/modules/services/rshd.te

    r2782 r2822  
    6565seutil_read_default_contexts(rshd_t) 
    6666 
    67 userdom_search_all_users_home_content(rshd_t) 
     67userdom_search_user_home_content(rshd_t) 
    6868 
    6969tunable_policy(`use_nfs_home_dirs',` 

  • branches/rbacsep/policy/modules/services/samba.te

    r2782 r2822  
    743743 
    744744userdom_dontaudit_use_unpriv_user_fds(winbind_t) 
    745 userdom_priveleged_home_dir_manager(winbind_t) 
     745userdom_manage_user_home_content_dirs(winbind_t) 
     746userdom_manage_user_home_content_files(winbind_t) 
     747userdom_manage_user_home_content_symlinks(winbind_t) 
     748userdom_manage_user_home_content_pipes(winbind_t) 
     749userdom_manage_user_home_content_sockets(winbind_t) 
     750userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) 
    746751 
    747752sysadm_dontaudit_search_home_dirs(winbind_t) 

  • branches/rbacsep/policy/modules/services/spamassassin.te

    r2790 r2822  
    138138 
    139139sysnet_dns_name_resolve(spamassassin_t) 
    140  
    141 userdom_use_unpriv_users_fds(spamassassin_t) 
    142 # cjp: this really should just be the 
    143 # terminal specific to the role 
    144 userdom_use_unpriv_users_ptys(spamassassin_t) 
    145140 
    146141# this should probably be removed: 
     
    276271 
    277272sysnet_read_config(spamc_t) 
    278  
    279 userdom_use_unpriv_users_fds(spamc_t) 
    280 # cjp: this really should just be the 
    281 # terminal specific to the role 
    282 userdom_use_unpriv_users_ptys(spamc_t) 
    283273 
    284274# cjp: this should probably be removed: 
     
    411401 
    412402userdom_use_unpriv_users_fds(spamd_t) 
    413 userdom_search_unpriv_users_home_dirs(spamd_t) 
     403userdom_search_user_home_dirs(spamd_t) 
    414404 
    415405sysadm_dontaudit_search_home_dirs(spamd_t) 

  • branches/rbacsep/policy/modules/services/squid.te

    r2820 r2822  
    151151 
    152152userdom_use_unpriv_users_fds(squid_t) 
    153 userdom_dontaudit_use_unpriv_user_fds(squid_t) 
    154153 
    155154sysadm_dontaudit_search_home_dirs(squid_t) 

  • branches/rbacsep/policy/modules/services/ssh.if

    r2783 r2822  
    260260 
    261261        userdom_dontaudit_relabelfrom_user_ptys($1_t) 
    262         userdom_search_all_users_home_dirs($1_t) 
     262        userdom_search_user_home_dirs($1_t) 
    263263 
    264264        tunable_policy(`use_nfs_home_dirs',` 

  • branches/rbacsep/policy/modules/services/ssh.te

    r2820 r2822  
    171171sysnet_dns_name_resolve(ssh_t) 
    172172 
    173 userdom_use_unpriv_users_fds(ssh_t) 
    174173userdom_dontaudit_list_user_home_dirs(ssh_t) 
    175174userdom_search_user_home_dirs(ssh_t) 
     
    321320kernel_link_key(sshd_t) 
    322321 
     322term_use_all_user_ptys(sshd_t) 
     323term_setattr_all_user_ptys(sshd_t) 
     324term_relabelto_all_user_ptys(sshd_t) 
     325 
    323326# for X forwarding 
    324327corenet_tcp_bind_xserver_port(sshd_t) 
     
    330333        # display the tty. 
    331334        # some versions of sshd on the new SE Linux require setattr 
    332         term_use_all_user_ptys(sshd_t) 
    333         term_setattr_all_user_ptys(sshd_t) 
    334         term_relabelto_all_user_ptys(sshd_t) 
    335  
    336335        userdom_spec_domtrans_all_users(sshd_t) 
    337336        userdom_signal_all_users(sshd_t) 
     
    339338        userdom_spec_domtrans_unpriv_users(sshd_t) 
    340339        userdom_signal_unpriv_users(sshd_t) 
    341  
    342         userdom_setattr_unpriv_users_ptys(sshd_t) 
    343         userdom_relabelto_user_ptys(sshd_t) 
    344         userdom_use_unpriv_users_ptys(sshd_t) 
    345340') 
    346341 
     
    360355        rssh_spec_domtrans_all_users(sshd_t) 
    361356        # For reading /home/user/.ssh 
    362         rssh_read_all_users_ro_content(sshd_t) 
     357        rssh_read_user_ro_content(sshd_t) 
    363358') 
    364359 

  • branches/rbacsep/policy/modules/services/telnet.te

    r2782 r2822  
    8888remotelogin_domtrans(telnetd_t) 
    8989 
    90 userdom_search_unpriv_users_home_dirs(telnetd_t) 
     90userdom_search_user_home_dirs(telnetd_t) 
    9191 
    9292optional_policy(` 

  • branches/rbacsep/policy/modules/services/uwimap.te

    r2745 r2822  
    7878# cjp: this is excessive, should be limited to the 
    7979# mail directories 
    80 userdom_priveleged_home_dir_manager(imapd_t) 
     80userdom_manage_user_home_content_dirs(imapd_t) 
     81userdom_manage_user_home_content_files(imapd_t) 
     82userdom_manage_user_home_content_symlinks(imapd_t) 
     83userdom_manage_user_home_content_pipes(imapd_t) 
     84userdom_manage_user_home_content_sockets(imapd_t) 
     85userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file }) 
    8186 
    8287sysadm_dontaudit_search_home_dirs(imapd_t) 

  • branches/rbacsep/policy/modules/services/xserver.te

    r2820 r2822  
    478478userdom_create_all_users_keys(xdm_t) 
    479479# for .dmrc 
    480 userdom_read_unpriv_users_home_content_files(xdm_t) 
     480userdom_read_user_home_content_files(xdm_t) 
    481481# Search /proc for any user domain processes. 
    482482userdom_read_all_users_state(xdm_t) 
     
    836836# to read ROLE_home_t - examine this in more detail 
    837837# (xauth?) 
    838 userdom_read_unpriv_users_home_content_files(xserver_t) 
    839  
    840 xserver_use_all_users_fonts(xserver_t) 
     838userdom_read_user_home_content_files(xserver_t) 
     839 
     840xserver_use_user_fonts(xserver_t) 
    841841 
    842842tunable_policy(`use_nfs_home_dirs',` 

  • branches/rbacsep/policy/modules/system/authlogin.te

    r2790 r2822  
    174174 
    175175logging_send_syslog_msg(pam_t) 
    176  
    177 userdom_use_unpriv_users_fds(pam_t) 
    178176 
    179177ifdef(`distro_ubuntu',` 

  • branches/rbacsep/policy/modules/system/init.te

    r2820 r2822  
    387387seutil_read_config(initrc_t) 
    388388 
    389 userdom_read_all_users_home_content_files(initrc_t) 
     389userdom_read_user_home_content_files(initrc_t) 
    390390 
    391391# Allow access to the sysadm TTYs. Note that this will give access to the  

  • branches/rbacsep/policy/modules/system/locallogin.te

    r2782 r2822  
    135135userdom_spec_domtrans_all_users(local_login_t) 
    136136userdom_signal_all_users(local_login_t) 
    137 userdom_search_all_users_home_content(local_login_t) 
     137userdom_search_user_home_content(local_login_t) 
    138138userdom_use_unpriv_users_fds(local_login_t) 
    139139userdom_sigchld_all_users(local_login_t) 

  • branches/rbacsep/policy/modules/system/selinuxutil.te

    r2745 r2822  
    284284seutil_libselinux_linked(newrole_t) 
    285285 
    286 userdom_use_unpriv_users_fds(newrole_t) 
    287286# for some PAM modules and for cwd 
    288287userdom_dontaudit_search_user_home_content(newrole_t) 
    289 userdom_search_all_users_home_dirs(newrole_t) 
     288userdom_search_user_home_dirs(newrole_t) 
    290289 
    291290ifdef(`distro_ubuntu',` 
     
    596595userdom_use_all_users_fds(setfiles_t) 
    597596# for config files in a home directory 
    598 userdom_read_all_users_home_content_files(setfiles_t) 
     597userdom_read_user_home_content_files(setfiles_t) 
    599598 
    600599ifdef(`distro_debian',` 

  • branches/rbacsep/policy/modules/system/unconfined.te

    r2820 r2822  
    4949unconfined_domain(unconfined_t) 
    5050 
    51 userdom_priveleged_home_dir_manager(unconfined_t
     51userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }
    5252 
    5353ifdef(`distro_gentoo',` 

  • branches/rbacsep/policy/modules/system/userdomain.if

    r2782 r2822  
    850850        gen_require(` 
    851851                attribute unpriv_userdomain; 
    852                 attribute privhome; 
    853852        ') 
    854853 
     
    10671066template(`userdom_admin_user_template',` 
    10681067        gen_require(` 
    1069                 attribute privhome; 
    10701068                class passwd { passwd chfn chsh rootok }; 
    10711069        ') 
     
    10801078        userdom_common_user_template($1) 
    10811079 
    1082         typeattribute $1_t privhome; 
    10831080        domain_obj_id_change_exemption($1_t) 
    10841081        role system_r types $1_t; 
     
    11811178        seutil_manage_bin_policy($1_t) 
    11821179 
     1180        userdom_manage_user_home_content_dirs($1_t) 
     1181        userdom_manage_user_home_content_files($1_t) 
     1182        userdom_manage_user_home_content_symlinks($1_t) 
     1183        userdom_manage_user_home_content_pipes($1_t) 
     1184        userdom_manage_user_home_content_sockets($1_t) 
     1185        userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) 
     1186 
    11831187        tunable_policy(`user_rw_noexattrfile',` 
    11841188                fs_manage_noxattr_fs_files($1_t) 
     
    24392443######################################## 
    24402444## <summary> 
    2441 ##      Search all users home directories. 
    2442 ## </summary> 
    2443 ## <param name="domain"> 
    2444 ##      <summary> 
    2445 ##      Domain allowed access. 
    2446 ##      </summary> 
    2447 ## </param> 
    2448 
    2449 interface(`userdom_search_all_users_home_dirs',` 
    2450         gen_require(` 
    2451                 type user_home_dir_t; 
    2452         ') 
    2453  
    2454         files_list_home($1) 
    2455         allow $1 user_home_dir_t:dir search_dir_perms; 
    2456         refpolicywarn(`$0() and/or $1 needs to be exempt on files.') 
    2457 ') 
    2458  
    2459 ######################################## 
    2460 ## <summary> 
    2461 ##      List all users home directories. 
    2462 ## </summary> 
    2463 ## <param name="domain"> 
    2464 ##      <summary> 
    2465 ##      Domain allowed access. 
    2466 ##      </summary> 
    2467 ## </param> 
    246