mozilla adds .mozilla directory to /etc/skel which useradd tries to copy

[dsugar100]

When the copy fails it stops copying any other files.

node=asdf type=AVC msg=audit(1731544222.421:251876): avc: denied { create } for pid=14952 comm="useradd" name=".mozilla" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=0
node=asdf type=AVC msg=audit(1731545219.731:272250): avc: denied { create } for pid=19939 comm="useradd" name=".mozilla" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.731:272251): avc: denied { setattr } for pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc: denied { search } for pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc: denied { write } for pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc: denied { add_name } for pid=19939 comm="useradd" name="extensions" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272262): avc: denied { create } for pid=19939 comm="useradd" name="plugins" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272263): avc: denied { setattr } for pid=19939 comm="useradd" name="plugins" dev="dm-7" ino=1703940 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1

[pebenito]

I wonder if this should be generalized; any app *_home_t (or the like) could potentially be put in the skel.

[dsugar100]

Yes, I think it should be. Do you have a suggestion on how to make this generic?
Maybe the interface

interface(`usermanage_create_user_home_dirs',`
	gen_require(`
		type useradd_t;
	')

	allow useradd_t $1:dir setattr;
	create_dirs_pattern(useradd_t, $1, $1)
')

Then (in this case) in mozilla.te
usermanage_create_user_home_dirs({mozilla_home_t mozilla_plugin_home_t})

That interface name seems wrong, I'm open to better suggestions.

[pebenito]

I think we want to simply make an interface like userdom_delete_all_user_home_content_dirs(), but that allows create instead.

[dsugar100]

Ok, I think this is more like what you are suggesting. Let me know what changes are needed.

[pebenito]

That's the idea, though it would be at least 3 interfaces.