diff options
| author | John Turner <jturner.usa@gmail.com> | 2025-08-20 18:15:24 -0400 |
|---|---|---|
| committer | John Turner <jturner.usa@gmail.com> | 2025-08-21 17:47:14 -0400 |
| commit | ebf8a5222434ed15b16b3fb8015ebedac795bb65 (patch) | |
| tree | eb7bfabb72adce39bcc558857211acccdbb3cf3f /src | |
| parent | d423f2bca3f9161c3c9abd58898e8cc3744a0832 (diff) | |
| download | selinux-policy-ebf8a5222434ed15b16b3fb8015ebedac795bb65.tar.gz | |
rework how user files work
Instead of assuming all user files exist under $HOME, we create a
.file.user module and typeattribute. This allows user files to exist
in places outside of $HOME. Also we changed filecon so that $HOME
itself is user.home.file rather than home.file.
Diffstat (limited to 'src')
| -rw-r--r-- | src/file.cil | 2 | ||||
| -rw-r--r-- | src/file/homefile/meson.build | 4 | ||||
| -rw-r--r-- | src/file/homefile/userhomefile.cil | 34 | ||||
| -rw-r--r-- | src/file/meson.build | 2 | ||||
| -rw-r--r-- | src/file/userfile.cil (renamed from src/file/homefile/userfile.cil) | 32 | ||||
| -rw-r--r-- | src/file/userfile/meson.build (renamed from src/file/homefile/user/meson.build) | 1 | ||||
| -rw-r--r-- | src/file/userfile/sshfile.cil (renamed from src/file/homefile/user/sshfile.cil) | 30 |
7 files changed, 53 insertions, 52 deletions
diff --git a/src/file.cil b/src/file.cil index c007396..3e72a5e 100644 --- a/src/file.cil +++ b/src/file.cil @@ -2,7 +2,7 @@ ;; SPDX-License-Identifier: Unlicense (block file - + (macro anon_file_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)(type ARG5)) (typetransition ARG1 ARG2 ARG3 ARG4 ARG5) diff --git a/src/file/homefile/meson.build b/src/file/homefile/meson.build index 99c44c9..f319bcc 100644 --- a/src/file/homefile/meson.build +++ b/src/file/homefile/meson.build @@ -1,3 +1 @@ -modules += files('syshomefile.cil', 'userfile.cil') - -subdir('user') +modules += files('syshomefile.cil', 'userhomefile.cil') diff --git a/src/file/homefile/userhomefile.cil b/src/file/homefile/userhomefile.cil new file mode 100644 index 0000000..838c845 --- /dev/null +++ b/src/file/homefile/userhomefile.cil @@ -0,0 +1,34 @@ +(in file.unconfined + (call .user.home.home_file_type_transition_file (typeattr dir "*"))) + +(in file.home + (block user + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call .file.home.type (typeattr)) + (call .file.user.type (typeattr)) + (call .xattr.associate_fs (typeattr)) + + (block base_template + (blockabstract base_template) + (blockinherit .file.user.base_template) + (call .file.home.user.type (file))) + + (block template + (blockabstract template) + (blockinherit .file.home.user.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) + +(in user + (block home + (macro home_file_type_transition_file ((type ARG1) (class ARG2) (name ARG3)) + (call .home.file_type_transition (ARG1 file ARG2 ARG3))) + + (blockinherit file.home.user.template) + (filecon "HOME_DIR" dir file_context) + (filecon "HOME_DIR/.*" any file_context))) diff --git a/src/file/meson.build b/src/file/meson.build index c3d21ab..7ce9130 100644 --- a/src/file/meson.build +++ b/src/file/meson.build @@ -14,6 +14,7 @@ modules += files( 'secfile.cil', 'tmpfile.cil', 'tmpfsfile.cil', + 'userfile.cil', 'varfile.cil', ) @@ -26,3 +27,4 @@ subdir('runfile') subdir('tmpfile') subdir('tmpfsfile') subdir('varfile') +subdir('userfile') diff --git a/src/file/homefile/userfile.cil b/src/file/userfile.cil index ff6a6e2..c771e0d 100644 --- a/src/file/homefile/userfile.cil +++ b/src/file/userfile.cil @@ -13,35 +13,23 @@ ;; You should have received a copy of the GNU General Public License ;; along with this program. If not, see <https://www.gnu.org/licenses/>. -(in file.home - +(in file (block user - (macro type ((type ARG1)) (typeattributeset typeattr ARG1)) (typeattribute typeattr) - (call file.home.type (typeattr)) - - (block base_template - - (blockabstract base_template) - - (blockinherit .file.home.base_template) + (call file.type (typeattr)) - (call .file.home.user.type (file))) + (block base_template + (blockabstract base_template) + (blockinherit .file.base_template) + (call .file.user.type (file))) (block template - (blockabstract template) - - (blockinherit .file.home.template)))) - -(in user - - (block home - - (filecon "HOME_DIR/.*" any file_context) - - (blockinherit .file.home.user.template))) + (blockinherit .file.user.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/homefile/user/meson.build b/src/file/userfile/meson.build index 6236def..444fa7d 100644 --- a/src/file/homefile/user/meson.build +++ b/src/file/userfile/meson.build @@ -1,2 +1 @@ modules += files('sshfile.cil') - diff --git a/src/file/homefile/user/sshfile.cil b/src/file/userfile/sshfile.cil index 377b144..f2c4597 100644 --- a/src/file/homefile/user/sshfile.cil +++ b/src/file/userfile/sshfile.cil @@ -13,29 +13,9 @@ ;; You should have received a copy of the GNU General Public License ;; along with this program. If not, see <https://www.gnu.org/licenses/>. -(in file.home.user - - (block ssh - - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) - - (typeattribute typeattr) - - (call file.home.user.type (typeattr)) - - (block base_template - - (blockabstract base_template) - - (blockinherit .file.home.user.base_template) - - (call .file.home.user.ssh.type (file))))) - (block ssh - - (block home - - (filecon "HOME_DIR/\.ssh(/.*)?" any file_context) - - (blockinherit .file.home.user.ssh.base_template))) + (block user + (block file + (blockinherit .file.user.template) + (filecon "HOME_DIR/\.ssh" dir file_context) + (filecon "HOME_DIR/\.ssh/.*" file file_context)))) |