userdomain: Introduce types for /run/user

These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.

2 files changed, 22 insertions, 0 deletions

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db7597682..0ec8d11dd 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,3 +2,10 @@ HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user		-d	gen_context(system_u:object_r:user_runtime_root_t,s0)
+/var/run/user/[^/]+	-d	gen_context(system_u:object_r:user_runtime_t,s0)
+/var/run/user/[^/]+/.+	-d	<<none>>
+# new genhomedircon required for these patterns
+/var/run/user/%{USERID}	-d	gen_context(system_u:object_r:user_runtime_t,s0)
+/var/run/user/%{USERID}/.+	<<none>>
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 2a368512d..8def7fd00 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,3 +93,18 @@ userdom_user_home_content(user_tmpfs_t)
 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
 dev_node(user_tty_device_t)
 ubac_constrained(user_tty_device_t)
+
+type user_runtime_root_t;
+fs_associate_tmpfs(user_runtime_root_t)
+files_mountpoint(user_runtime_root_t)
+files_poly_parent(user_runtime_root_t)
+
+type user_runtime_t;
+fs_associate_tmpfs(user_runtime_t)
+files_type(user_runtime_t)
+files_mountpoint(user_runtime_t)
+files_associate_tmp(user_runtime_t)
+files_poly(user_runtime_t)
+files_poly_member(user_runtime_t)
+files_poly_parent(user_runtime_t)
+ubac_constrained(user_runtime_t)