commit: 90a1d9d4ed373333ffbd6519e5dab72505cfd504
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Tue Nov 19 22:41:17 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90a1d9d4
mozilla adds .mozilla directory to /etc/skel which useradd tries to copy
When the copy fails it stops copying any other files.
node=asdf type=AVC msg=audit(1731544222.421:251876): avc: denied { create }
for pid=14952 comm="useradd" name=".mozilla"
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=0
node=asdf type=AVC msg=audit(1731545219.731:272250): avc: denied { create }
for pid=19939 comm="useradd" name=".mozilla"
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.731:272251): avc: denied { setattr }
for pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc: denied { search }
for pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc: denied { write }
for pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc: denied { add_name }
for pid=19939 comm="useradd" name="extensions"
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272262): avc: denied { create }
for pid=19939 comm="useradd" name="plugins"
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272263): avc: denied { setattr }
for pid=19939 comm="useradd" name="plugins" dev="dm-7" ino=1703940
scontext=system_u:system_r:useradd_t:s0
tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/usermanage.te | 3 ++
policy/modules/system/userdomain.if | 62 +++++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index 6be3f2aaa..606ef8acf 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -551,10 +551,13 @@ seutil_run_setfiles(useradd_t, useradd_roles)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
+userdom_create_all_user_home_dirs(useradd_t)
+userdom_create_all_user_home_files(useradd_t)
userdom_manage_user_home_dirs(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
userdom_manage_user_home_content_dirs(useradd_t)
userdom_manage_user_home_content_files(useradd_t)
+userdom_write_all_user_home_files(useradd_t)
userdom_user_home_dir_filetrans_user_home_content(useradd_t,
notdevfile_class_set)
optional_policy(`
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index bb293dc61..aaa7718e6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2144,6 +2144,68 @@ interface(`userdom_manage_user_home_content_dirs',`
files_search_home($1)
')
+########################################
+## <summary>
+## Create all user home content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_all_user_home_dirs',`
+ gen_require(`
+ attribute user_home_content_type;
+ type user_home_dir_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ create_dirs_pattern($1, { user_home_dir_t user_home_content_type },
user_home_content_type)
+ setattr_dirs_pattern($1, { user_home_dir_t user_home_content_type },
user_home_content_type)
+')
+
+########################################
+## <summary>
+## Create all user home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_all_user_home_files',`
+ gen_require(`
+ attribute user_home_content_type;
+ type user_home_dir_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ create_files_pattern($1, { user_home_dir_t user_home_content_type },
user_home_content_type)
+ setattr_files_pattern($1, { user_home_dir_t user_home_content_type },
user_home_content_type)
+')
+
+########################################
+## <summary>
+## Write all user home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_user_home_files',`
+ gen_require(`
+ attribute user_home_content_type;
+ type user_home_dir_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ write_files_pattern($1, { user_home_dir_t user_home_content_type },
user_home_content_type)
+')
+
########################################
## <summary>
## Delete all user home content directories.
