rework how user files work

Instead of assuming all user files exist under $HOME, we create a .file.user module and typeattribute. This allows user files to exist in places outside of $HOME. Also we changed filecon so that $HOME itself is user.home.file rather than home.file.
author: John Turner <jturner.usa@gmail.com> 2025-08-20 18:15:24 -0400
committer: John Turner <jturner.usa@gmail.com> 2025-08-20 22:08:42 -0400
commit: bb228574d78232d407b78f90faf39fff28cb6c5b (patch)
tree: 8221331e8f837d6d4eafa9b55f2b471f0d442f06 /src/file
parent: d423f2bca3f9161c3c9abd58898e8cc3744a0832 (diff)
download: selinux-policy-bb228574d78232d407b78f90faf39fff28cb6c5b.tar.gz
6 files changed, 44 insertions, 50 deletions
diff --git a/src/file/homefile/meson.build b/src/file/homefile/meson.build
index 99c44c9..f319bcc 100644
--- a/src/file/homefile/meson.build
+++ b/src/file/homefile/meson.build
@@ -1,3 +1 @@
-modules += files('syshomefile.cil', 'userfile.cil')
-
-subdir('user')
+modules += files('syshomefile.cil', 'userhomefile.cil')
diff --git a/src/file/homefile/userhomefile.cil b/src/file/homefile/userhomefile.cil
new file mode 100644
index 0000000..de8a882
--- /dev/null
+++ b/src/file/homefile/userhomefile.cil
@@ -0,0 +1,30 @@
+(in file.unconfined
+    (call .user.home.home_file_type_transition_file (typeattr dir "*")))
+
+(in file.home
+    (block user
+        (macro type ((type ARG1))
+            (typeattributeset typeattr type))
+
+        (typeattribute typeattr)
+
+        (call file.home.type (typeattr))
+        (call file.user.type (typeattr))
+
+        (block base_template
+            (blockabstract base_template)
+            (blockinherit .file.user.base_template)
+            (call .file.home.user.type (file)))
+
+        (block template
+            (blockabstract template)
+            (blockinherit .file.user.template))))
+
+(in user
+    (block home
+        (macro home_file_type_transition_file ((type ARG1) (class ARG2) (name ARG3))
+            (call .home.file_type_transition (ARG1 file ARG2 ARG3)))
+        
+        (blockinherit file.home.user.template)
+        (filecon "HOME_DIR" dir file_context)
+        (filecon "HOME_DIR/.*" any file_context)))
diff --git a/src/file/meson.build b/src/file/meson.build
index c3d21ab..7ce9130 100644
--- a/src/file/meson.build
+++ b/src/file/meson.build
@@ -14,6 +14,7 @@ modules += files(
     'secfile.cil',
     'tmpfile.cil',
     'tmpfsfile.cil',
+    'userfile.cil',
     'varfile.cil',
 )
 
@@ -26,3 +27,4 @@ subdir('runfile')
 subdir('tmpfile')
 subdir('tmpfsfile')
 subdir('varfile')
+subdir('userfile')
diff --git a/src/file/homefile/userfile.cil b/src/file/userfile.cil
index ff6a6e2..7ca2150 100644
--- a/src/file/homefile/userfile.cil
+++ b/src/file/userfile.cil
@@ -13,35 +13,20 @@
 ;; You should have received a copy of the GNU General Public License
 ;; along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-(in file.home
-
+(in file
     (block user
-
         (macro type ((type ARG1))
             (typeattributeset typeattr ARG1))
 
         (typeattribute typeattr)
 
-        (call file.home.type (typeattr))
-        
-        (block base_template
-
-    	    (blockabstract base_template)
-
-    	    (blockinherit .file.home.base_template)
+        (call file.type (typeattr))
 
-    	    (call .file.home.user.type (file)))
+        (block base_template
+            (blockabstract base_template)
+            (blockinherit .file.base_template)
+            (call .file.user.type (file)))
 
         (block template
-
             (blockabstract template)
-
-            (blockinherit .file.home.template))))
-
-(in user
-
-    (block home
-
-        (filecon "HOME_DIR/.*" any file_context)
-        
-        (blockinherit .file.home.user.template)))
+            (blockinherit .file.template))))
diff --git a/src/file/homefile/user/meson.build b/src/file/userfile/meson.build
index 6236def..444fa7d 100644
--- a/src/file/homefile/user/meson.build
+++ b/src/file/userfile/meson.build
@@ -1,2 +1 @@
 modules += files('sshfile.cil')
-
diff --git a/src/file/homefile/user/sshfile.cil b/src/file/userfile/sshfile.cil
index 377b144..ac3ab86 100644
--- a/src/file/homefile/user/sshfile.cil
+++ b/src/file/userfile/sshfile.cil
@@ -13,29 +13,9 @@
 ;; You should have received a copy of the GNU General Public License
 ;; along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-(in file.home.user
-
+(in file.user
     (block ssh
+        (blockinherit .file.user.template)
 
-        (macro type ((type ARG1))
-            (typeattributeset typeattr ARG1))
-
-        (typeattribute typeattr)
-
-        (call file.home.user.type (typeattr))
-
-        (block base_template
-
-    	    (blockabstract base_template)
-
-    	    (blockinherit .file.home.user.base_template)
-
-    	    (call .file.home.user.ssh.type (file)))))
-
-(block ssh
-
-    (block home
-
-        (filecon "HOME_DIR/\.ssh(/.*)?" any file_context)
-
-        (blockinherit .file.home.user.ssh.base_template)))
+        (filecon "HOME_DIR/\.ssh" dir file_context)
+        (filecon "HOME_DIR/\.ssh/.*" file file_context)))
author	John Turner <jturner.usa@gmail.com>	2025-08-20 18:15:24 -0400
committer	John Turner <jturner.usa@gmail.com>	2025-08-20 22:08:42 -0400
commit	bb228574d78232d407b78f90faf39fff28cb6c5b (patch)
tree	8221331e8f837d6d4eafa9b55f2b471f0d442f06 /src/file
parent	d423f2bca3f9161c3c9abd58898e8cc3744a0832 (diff)
download	selinux-policy-bb228574d78232d407b78f90faf39fff28cb6c5b.tar.gz