Edit userdom_manage_tmp/tmpfs_role to use user_tmp_type and

user_tmpfs_type respectively: if a type is declared user type then the
user needs to be able to manage (and relabel) it.

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 64d9bb78e0412ad9c07cc2850d025d12b1e43e00..6f8965db7fa950d9607963091aeec4e186a6fbf9 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -317,6 +317,7 @@ interface(`userdom_manage_home_role',`
 #
 interface(`userdom_manage_tmp_role',`
        gen_require(`
+               attribute user_tmp_type;
                type user_tmp_t;
        ')
 
@@ -324,13 +325,17 @@ interface(`userdom_manage_tmp_role',`
 
        files_poly_member_tmp($2, user_tmp_t)
 
-       manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-       manage_files_pattern($2, user_tmp_t, user_tmp_t)
-       manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
-       manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
-       manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
+       manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
+       manage_files_pattern($2, user_tmp_type, user_tmp_type)
+       manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+       manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+       manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
        files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
-       relabel_files_pattern($2, user_tmp_t, user_tmp_t)
+       relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
+       relabel_files_pattern($2, user_tmp_type, user_tmp_type)
+       relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+       relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+       relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
 ')
 
 #######################################
@@ -420,17 +425,23 @@ interface(`userdom_exec_user_tmp_files',`
 #
 interface(`userdom_manage_tmpfs_role',`
        gen_require(`
+               attribute user_tmpfs_type
                type user_tmpfs_t;
        ')
 
        role $1 types user_tmpfs_t;
 
-       manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
-       manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-       manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-       manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-       manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+       manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
        fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+       relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+       relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
 ')
 
 #######################################