From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Harry Ciao <qingtao.cao@windriver.com>
Cc: sds@tycho.nsa.gov, selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/1] Files and dirs objects could retain user role.
Date: Mon, 14 Mar 2011 08:23:11 -0400 [thread overview]
Message-ID: <4D7E08AF.10107@tresys.com> (raw)
In-Reply-To: <1299828060-18411-2-git-send-email-qingtao.cao@windriver.com>
On 3/11/2011 2:20 AM, Harry Ciao wrote:
> Provide an interface to have the newly created files or dirs objects
> have a chance to retain its creator's role.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
> policy/modules/kernel/files.if | 32 ++++++++++++++++++++++++++++++++
> policy/modules/system/userdomain.if | 4 ++++
> 2 files changed, 36 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index ed203b2..dbec8d3 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -5844,3 +5844,35 @@ interface(`files_unconfined',`
>
> typeattribute $1 files_unconfined_type;
> ')
> +
> +#######################################
> +##<summary>
> +## Allow files and dirs with specified type
> +## retain its creator role.
> +##</summary>
> +##<desc>
> +## <p>
> +## Allow files and dirs with specified type
> +## retain its creator role.
> +## </p>
> +##</desc>
> +##<param name="role">
> +## <summary>
> +## The creator role
> +## </summary>
> +##</param>
> +##<param name="domain">
> +## <summary>
> +## The new object type
> +## </summary>
> +##</param>
> +##<rolebase/>
> +#
> +interface(`files_retain_creator_role',`
> + gen_require(`
> + attribute file_type;
> + ')
> +
> + role_transition $1 $2 $1;
> + role $1 types $2;
> +')
I see no reason for this to be an interface.
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 28b88de..dddc9e3 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -245,6 +245,10 @@ interface(`userdom_manage_home_role',`
> # cjp: this should probably be removed:
> allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
>
> + # new files or dirs object created in user HOME directory
> + # retain the creator role.
> + files_retain_creator_role($1, user_home_t)
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs($2)
> fs_manage_nfs_files($2)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-03-14 12:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-11 7:20 [v2] [SELinux] Discussions about rbacsep Harry Ciao
2011-03-11 7:20 ` [PATCH 1/1] Files and dirs objects could retain user role Harry Ciao
2011-03-14 12:23 ` Christopher J. PeBenito [this message]
2011-03-11 7:20 ` [v2 PATCH 1/2] Auto-generate security_is_filedir_class() Harry Ciao
2011-03-11 7:21 ` [v2 PATCH 2/2] role_transition for newly created files or dirs Harry Ciao
2011-03-11 14:11 ` [v2] [SELinux] Discussions about rbacsep Stephen Smalley
2011-03-11 19:04 ` James Carter
2011-03-12 12:26 ` HarryCiao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D7E08AF.10107@tresys.com \
--to=cpebenito@tresys.com \
--cc=qingtao.cao@windriver.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.