* Question: ROLE_file_type vs customizable
@ 2005-04-14 20:20 Ivan Gyurdiev
2005-04-15 14:51 ` Daniel J Walsh
2005-04-15 14:53 ` Daniel J Walsh
0 siblings, 2 replies; 3+ messages in thread
From: Ivan Gyurdiev @ 2005-04-14 20:20 UTC (permalink / raw)
To: selinux; +Cc: dwalsh
What is the purpose of "$1_file_type". How does that differ from
"customizable", besides embedding the user in the type? Should
customizable be $1_customizable instead, and then there can be a
centralized rule that allows ROLE_t relabelto/relabelfrom and other
privileges to ROLE_customizable ?
Here are all the allow rules associated with $1_file_type.
Why is gpg able to write to every file type marked with this attribute?
allow sysadm_gpg_t sysadm_file_type:dir { read getattr lock search ioctl
add_name remove_name write };
allow sysadm_gpg_t sysadm_file_type:file { create ioctl read getattr
lock write setattr append link unlink rename };
allow sysadm_gpg_t sysadm_file_type:lnk_file { create read getattr
setattr link unlink rename };
allow user_gpg_t user_file_type:dir { read getattr lock search ioctl
add_name remove_name write };
allow user_gpg_t user_file_type:file { create ioctl read getattr lock
write setattr append link unlink rename };
allow user_gpg_t user_file_type:lnk_file { create read getattr setattr
link unlink rename };
allow user_locate_t { home_root_t user_home_dir_t user_file_type }:dir
{ getattr search };
allow user_locate_t user_file_type:{ file lnk_file } { getattr read };
allow user_file_type user_home_t:filesystem associate;
allow staff_gpg_t staff_file_type:dir { read getattr lock search ioctl
add_name remove_name write };
allow staff_gpg_t staff_file_type:file { create ioctl read getattr lock
write setattr append link unlink rename };
allow staff_gpg_t staff_file_type:lnk_file { create read getattr setattr
link unlink rename };
allow staff_locate_t { home_root_t staff_home_dir_t
staff_file_type }:dir { getattr search };
allow staff_locate_t staff_file_type:{ file lnk_file } { getattr read };
allow staff_file_type staff_home_t:filesystem associate;
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Question: ROLE_file_type vs customizable
2005-04-14 20:20 Question: ROLE_file_type vs customizable Ivan Gyurdiev
@ 2005-04-15 14:51 ` Daniel J Walsh
2005-04-15 14:53 ` Daniel J Walsh
1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2005-04-15 14:51 UTC (permalink / raw)
To: ivg2; +Cc: selinux
Ivan Gyurdiev wrote:
>What is the purpose of "$1_file_type". How does that differ from
>"customizable", besides embedding the user in the type? Should
>customizable be $1_customizable instead, and then there can be a
>centralized rule that allows ROLE_t relabelto/relabelfrom and other
>privileges to ROLE_customizable ?
>
>
Customizable is just a flag to tell restorecon/setfiles/fixfiles not to
mess with this file_context.
So no their should only be one type. $1_file_type is a type the a user
can manipulate specific
to the user.
>Here are all the allow rules associated with $1_file_type.
>Why is gpg able to write to every file type marked with this attribute?
>
>allow sysadm_gpg_t sysadm_file_type:dir { read getattr lock search ioctl
>add_name remove_name write };
>allow sysadm_gpg_t sysadm_file_type:file { create ioctl read getattr
>lock write setattr append link unlink rename };
>allow sysadm_gpg_t sysadm_file_type:lnk_file { create read getattr
>setattr link unlink rename };
>allow user_gpg_t user_file_type:dir { read getattr lock search ioctl
>add_name remove_name write };
>allow user_gpg_t user_file_type:file { create ioctl read getattr lock
>write setattr append link unlink rename };
>allow user_gpg_t user_file_type:lnk_file { create read getattr setattr
>link unlink rename };
>allow user_locate_t { home_root_t user_home_dir_t user_file_type }:dir
>{ getattr search };
>allow user_locate_t user_file_type:{ file lnk_file } { getattr read };
>allow user_file_type user_home_t:filesystem associate;
>allow staff_gpg_t staff_file_type:dir { read getattr lock search ioctl
>add_name remove_name write };
>allow staff_gpg_t staff_file_type:file { create ioctl read getattr lock
>write setattr append link unlink rename };
>allow staff_gpg_t staff_file_type:lnk_file { create read getattr setattr
>link unlink rename };
>allow staff_locate_t { home_root_t staff_home_dir_t
>staff_file_type }:dir { getattr search };
>allow staff_locate_t staff_file_type:{ file lnk_file } { getattr read };
>allow staff_file_type staff_home_t:filesystem associate;
>
>
>
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Question: ROLE_file_type vs customizable
2005-04-14 20:20 Question: ROLE_file_type vs customizable Ivan Gyurdiev
2005-04-15 14:51 ` Daniel J Walsh
@ 2005-04-15 14:53 ` Daniel J Walsh
1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2005-04-15 14:53 UTC (permalink / raw)
To: ivg2; +Cc: selinux
Ivan Gyurdiev wrote:
>What is the purpose of "$1_file_type". How does that differ from
>"customizable", besides embedding the user in the type? Should
>customizable be $1_customizable instead, and then there can be a
>centralized rule that allows ROLE_t relabelto/relabelfrom and other
>privileges to ROLE_customizable ?
>
>Here are all the allow rules associated with $1_file_type.
>Why is gpg able to write to every file type marked with this attribute?
>
>
>
gpg needs to be able to sign/encrypt stuff, I think is the reasoning.
>allow sysadm_gpg_t sysadm_file_type:dir { read getattr lock search ioctl
>add_name remove_name write };
>allow sysadm_gpg_t sysadm_file_type:file { create ioctl read getattr
>lock write setattr append link unlink rename };
>allow sysadm_gpg_t sysadm_file_type:lnk_file { create read getattr
>setattr link unlink rename };
>allow user_gpg_t user_file_type:dir { read getattr lock search ioctl
>add_name remove_name write };
>allow user_gpg_t user_file_type:file { create ioctl read getattr lock
>write setattr append link unlink rename };
>allow user_gpg_t user_file_type:lnk_file { create read getattr setattr
>link unlink rename };
>allow user_locate_t { home_root_t user_home_dir_t user_file_type }:dir
>{ getattr search };
>allow user_locate_t user_file_type:{ file lnk_file } { getattr read };
>allow user_file_type user_home_t:filesystem associate;
>allow staff_gpg_t staff_file_type:dir { read getattr lock search ioctl
>add_name remove_name write };
>allow staff_gpg_t staff_file_type:file { create ioctl read getattr lock
>write setattr append link unlink rename };
>allow staff_gpg_t staff_file_type:lnk_file { create read getattr setattr
>link unlink rename };
>allow staff_locate_t { home_root_t staff_home_dir_t
>staff_file_type }:dir { getattr search };
>allow staff_locate_t staff_file_type:{ file lnk_file } { getattr read };
>allow staff_file_type staff_home_t:filesystem associate;
>
>
>
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-04-15 15:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-14 20:20 Question: ROLE_file_type vs customizable Ivan Gyurdiev
2005-04-15 14:51 ` Daniel J Walsh
2005-04-15 14:53 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.