From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role
Date: Fri, 09 Jul 2010 08:26:59 -0400 [thread overview]
Message-ID: <4C371593.6010505@tresys.com> (raw)
In-Reply-To: <20100708153238.GA6701@localhost.localdomain>
On 07/08/10 11:32, Dominick Grift wrote:
> Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
> Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
> Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
It didn't occur to me before, but we can't make this part of the
changeset. If you look at the sediff before and after this change,
other roles, such as aduitadm, dbadm, and guest gain a bunch of new
permissions. For example, I see:
+ allow dbadm_t thunderbird_home_t : dir { add_name create getattr
ioctl link lock open read relabelfrom relabelto remove_name rename
reparent rmdir search setattr unlink write };
+ allow dbadm_t thunderbird_home_t : fifo_file { append create getattr
ioctl link lock open read relabelfrom relabelto rename setattr unlink
write };
+ allow dbadm_t thunderbird_home_t : file { append create getattr ioctl
link lock open read relabelfrom relabelto rename setattr unlink write };
+ allow dbadm_t thunderbird_home_t : lnk_file { create getattr link
read relabelfrom relabelto rename setattr unlink write };
+ allow dbadm_t thunderbird_home_t : sock_file { append create getattr
ioctl link lock open read relabelfrom relabelto rename setattr unlink
write };
But it doesn't have thunderbird_role().
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if
> policy/modules/system/userdomain.if | 34 ++++++++++++++++++----------------
> 1 files changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d5cf579..347d339 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
> #
> interface(`userdom_ro_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
> allow $2 user_home_dir_t:dir list_dir_perms;
> allow $2 user_home_t:dir list_dir_perms;
> allow $2 user_home_t:file entrypoint;
> - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> + read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> files_list_home($2)
>
> tunable_policy(`use_nfs_home_dirs',`
> @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
> #
> interface(`userdom_manage_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
>
> # full control of the home directory
> allow $2 user_home_t:file entrypoint;
> - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
> files_list_home($2)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2010-07-09 12:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-08 15:32 [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role Dominick Grift
2010-07-09 12:26 ` Christopher J. PeBenito [this message]
2010-07-09 12:37 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C371593.6010505@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.