* [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role
@ 2010-07-08 15:32 Dominick Grift
2010-07-09 12:26 ` Christopher J. PeBenito
2010-07-09 12:37 ` Christopher J. PeBenito
0 siblings, 2 replies; 3+ messages in thread
From: Dominick Grift @ 2010-07-08 15:32 UTC (permalink / raw)
To: refpolicy
Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if
policy/modules/system/userdomain.if | 34 ++++++++++++++++++----------------
1 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d5cf579..347d339 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
#
interface(`userdom_ro_home_role',`
gen_require(`
+ attribute user_home_type;
type user_home_t, user_home_dir_t;
')
- role $1 types { user_home_t user_home_dir_t };
+ role $1 types { user_home_type user_home_dir_t };
##############################
#
@@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
allow $2 user_home_dir_t:dir list_dir_perms;
allow $2 user_home_t:dir list_dir_perms;
allow $2 user_home_t:file entrypoint;
- read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
+ read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
+ read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
+ read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
files_list_home($2)
tunable_policy(`use_nfs_home_dirs',`
@@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
#
interface(`userdom_manage_home_role',`
gen_require(`
+ attribute user_home_type;
type user_home_t, user_home_dir_t;
')
- role $1 types { user_home_t user_home_dir_t };
+ role $1 types { user_home_type user_home_dir_t };
##############################
#
@@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
# full control of the home directory
allow $2 user_home_t:file entrypoint;
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
--
1.7.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/8a54e436/attachment.bin
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role
2010-07-08 15:32 [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role Dominick Grift
@ 2010-07-09 12:26 ` Christopher J. PeBenito
2010-07-09 12:37 ` Christopher J. PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2010-07-09 12:26 UTC (permalink / raw)
To: refpolicy
On 07/08/10 11:32, Dominick Grift wrote:
> Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
> Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
> Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
It didn't occur to me before, but we can't make this part of the
changeset. If you look at the sediff before and after this change,
other roles, such as aduitadm, dbadm, and guest gain a bunch of new
permissions. For example, I see:
+ allow dbadm_t thunderbird_home_t : dir { add_name create getattr
ioctl link lock open read relabelfrom relabelto remove_name rename
reparent rmdir search setattr unlink write };
+ allow dbadm_t thunderbird_home_t : fifo_file { append create getattr
ioctl link lock open read relabelfrom relabelto rename setattr unlink
write };
+ allow dbadm_t thunderbird_home_t : file { append create getattr ioctl
link lock open read relabelfrom relabelto rename setattr unlink write };
+ allow dbadm_t thunderbird_home_t : lnk_file { create getattr link
read relabelfrom relabelto rename setattr unlink write };
+ allow dbadm_t thunderbird_home_t : sock_file { append create getattr
ioctl link lock open read relabelfrom relabelto rename setattr unlink
write };
But it doesn't have thunderbird_role().
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if
> policy/modules/system/userdomain.if | 34 ++++++++++++++++++----------------
> 1 files changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d5cf579..347d339 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
> #
> interface(`userdom_ro_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
> allow $2 user_home_dir_t:dir list_dir_perms;
> allow $2 user_home_t:dir list_dir_perms;
> allow $2 user_home_t:file entrypoint;
> - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> + read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> files_list_home($2)
>
> tunable_policy(`use_nfs_home_dirs',`
> @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
> #
> interface(`userdom_manage_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
>
> # full control of the home directory
> allow $2 user_home_t:file entrypoint;
> - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
> files_list_home($2)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role
2010-07-08 15:32 [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role Dominick Grift
2010-07-09 12:26 ` Christopher J. PeBenito
@ 2010-07-09 12:37 ` Christopher J. PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2010-07-09 12:37 UTC (permalink / raw)
To: refpolicy
On 07/08/10 11:32, Dominick Grift wrote:
> Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
> Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
> Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
>
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if
> policy/modules/system/userdomain.if | 34 ++++++++++++++++++----------------
> 1 files changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d5cf579..347d339 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
> #
> interface(`userdom_ro_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
> allow $2 user_home_dir_t:dir list_dir_perms;
> allow $2 user_home_t:dir list_dir_perms;
> allow $2 user_home_t:file entrypoint;
> - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> + read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> files_list_home($2)
>
> tunable_policy(`use_nfs_home_dirs',`
> @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
> #
> interface(`userdom_manage_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
Also, this is wrong. I have removed this and other lines like it in
userdomain.if.
> ##############################
> #
> @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
>
> # full control of the home directory
> allow $2 user_home_t:file entrypoint;
> - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
> files_list_home($2)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-07-09 12:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-08 15:32 [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role Dominick Grift
2010-07-09 12:26 ` Christopher J. PeBenito
2010-07-09 12:37 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.