From 16da307d2d02e3cc52ff8e6d1fb6bccc0d96b35f Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Tue, 19 Nov 2024 17:41:17 -0500
Subject: [PATCH] mozilla adds .mozilla directory to /etc/skel which useradd
 tries to copy

When the copy fails it stops copying any other files.

node=asdf type=AVC msg=audit(1731544222.421:251876): avc:  denied  { create } for  pid=14952 comm="useradd" name=".mozilla" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=0
node=asdf type=AVC msg=audit(1731545219.731:272250): avc:  denied  { create } for  pid=19939 comm="useradd" name=".mozilla" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.731:272251): avc:  denied  { setattr } for  pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc:  denied  { search } for  pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc:  denied  { write } for  pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc:  denied  { add_name } for  pid=19939 comm="useradd" name="extensions" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272262): avc:  denied  { create } for  pid=19939 comm="useradd" name="plugins" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272263): avc:  denied  { setattr } for  pid=19939 comm="useradd" name="plugins" dev="dm-7" ino=1703940 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/admin/usermanage.te  |  3 ++
 policy/modules/system/userdomain.if | 62 +++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 10c40aad0b..bc7bd93b9e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -551,10 +551,13 @@ seutil_run_setfiles(useradd_t, useradd_roles)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
+userdom_create_all_user_home_dirs(useradd_t)
+userdom_create_all_user_home_files(useradd_t)
 userdom_manage_user_home_dirs(useradd_t)
 userdom_home_filetrans_user_home_dir(useradd_t)
 userdom_manage_user_home_content_dirs(useradd_t)
 userdom_manage_user_home_content_files(useradd_t)
+userdom_write_all_user_home_files(useradd_t)
 userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 
 optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index aa389da0f6..447ca76c5f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2109,6 +2109,68 @@ interface(`userdom_manage_user_home_content_dirs',`
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Create all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_all_user_home_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	create_dirs_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+	setattr_dirs_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
+##	Create all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_all_user_home_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	create_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+	setattr_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
+##	Write all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_user_home_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	write_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete all user home content directories.