From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [alsa patch (RETRY) 1/1] Common confined users can manage and relabel alsa home files.
Date: Fri, 17 Sep 2010 09:08:58 -0400 [thread overview]
Message-ID: <4C93686A.5060507@redhat.com> (raw)
In-Reply-To: <4C93603E.2070804@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/17/2010 08:34 AM, Christopher J. PeBenito wrote:
> On 09/16/10 11:07, Daniel J Walsh wrote:
>> On 09/16/2010 08:49 AM, Dominick Grift wrote:
>>> Unconditional.
>>>
>>> Signed-off-by: Dominick Grift<domg472@gmail.com>
>>> ---
>>> :100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if
>>> :100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te
>>> :100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te
>>> :100644 100644 9b55b00... 763edf3... M
>>> policy/modules/roles/unprivuser.te
>>> policy/modules/admin/alsa.if | 38
>>> ++++++++++++++++++++++++++++++++++++
>>> policy/modules/roles/staff.te | 5 ++++
>>> policy/modules/roles/sysadm.te | 5 ++++
>>> policy/modules/roles/unprivuser.te | 5 ++++
>>> 4 files changed, 53 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
>>> index 69aa742..978edf4 100644
>>> --- a/policy/modules/admin/alsa.if
>>> +++ b/policy/modules/admin/alsa.if
>>> @@ -126,6 +126,44 @@ interface(`alsa_read_home_files',`
>>>
>>> ########################################
>>> ##<summary>
>>> +## Relabel alsa home files.
>>> +##</summary>
>>> +##<param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +##</param>
>>> +#
>>> +interface(`alsa_relabel_home_files',`
>>> + gen_require(`
>>> + type alsa_home_t;
>>> + ')
>>> +
>>> + userdom_search_user_home_dirs($1)
>>> + allow $1 alsa_home_t:file relabel_file_perms;
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> +## Manage alsa home files.
>>> +##</summary>
>>> +##<param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +##</param>
>>> +#
>>> +interface(`alsa_manage_home_files',`
>>> + gen_require(`
>>> + type alsa_home_t;
>>> + ')
>>> +
>>> + userdom_search_user_home_dirs($1)
>>> + allow $1 alsa_home_t:file manage_file_perms;
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> ## Read Alsa lib files.
>>> ##</summary>
>>> ##<param name="domain">
>>> diff --git a/policy/modules/roles/staff.te
>>> b/policy/modules/roles/staff.te
>>> index 1854002..cfc307b 100644
>>> --- a/policy/modules/roles/staff.te
>>> +++ b/policy/modules/roles/staff.te
>>> @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
>>> #
>>>
>>> optional_policy(`
>>> + alsa_manage_home_files(staff_t)
>>> + alsa_relabel_home_files(staff_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> apache_role(staff_r, staff_t)
>>> ')
>>>
>>> diff --git a/policy/modules/roles/sysadm.te
>>> b/policy/modules/roles/sysadm.te
>>> index 2a19751..c81e389 100644
>>> --- a/policy/modules/roles/sysadm.te
>>> +++ b/policy/modules/roles/sysadm.te
>>> @@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',`
>>> ')
>>>
>>> optional_policy(`
>>> + alsa_manage_home_files(sysadm_t)
>>> + alsa_relabel_home_files(sysadm_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> amanda_run_recover(sysadm_t, sysadm_r)
>>> ')
>>>
>>> diff --git a/policy/modules/roles/unprivuser.te
>>> b/policy/modules/roles/unprivuser.te
>>> index 9b55b00..763edf3 100644
>>> --- a/policy/modules/roles/unprivuser.te
>>> +++ b/policy/modules/roles/unprivuser.te
>>> @@ -13,6 +13,11 @@ role user_r;
>>> userdom_unpriv_user_template(user)
>>>
>>> optional_policy(`
>>> + alsa_manage_home_files(user_t)
>>> + alsa_relabel_home_files(user_t)
>>> +')
>>
>> Wouldn't it be better to put these in> userdom_unpriv_user_template
>
> If you wanted to cover all three roles, userdom_common_user_template()
> would be the one to use.
>
I believe sysadm_t can already do this anyways. But I don't like
sysadm_t being used as a standard login domain. I guess I don't like it
at all...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyTaGoACgkQrlYvE4MpobNC5gCgjwqk+Fo1M+rFHhoELLze2XuM
cIUAoOYHK594t0wmudQJIlLOLr2fAbVj
=upHg
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2010-09-17 13:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-16 12:49 [refpolicy] [alsa patch (RETRY) 1/1] Common confined users can manage and relabel alsa home files Dominick Grift
2010-09-16 15:07 ` Daniel J Walsh
2010-09-17 12:34 ` Christopher J. PeBenito
2010-09-17 13:08 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C93686A.5060507@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.