* [refpolicy] [PATCH] Changes to the user domain policy module
@ 2012-10-18 18:08 Dominick Grift
2012-10-19 13:23 ` Christopher J. PeBenito
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dominick Grift @ 2012-10-18 18:08 UTC (permalink / raw)
To: refpolicy
Content that (at least) common users need to be able to relabel and
create with a type transition
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9d447a2..bcffe18 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -575,6 +575,7 @@
')
optional_policy(`
+ alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
alsa_read_rw_config($1_t)
alsa_relabel_home_files($1_t)
@@ -629,7 +630,18 @@
')
optional_policy(`
+ kerberos_manage_krb5_home_files($1_t)
+ kerberos_relabel_krb5_home_files($1_t)
+ kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
+ ')
+
+ optional_policy(`
locate_read_lib_files($1_t)
+ ')
+
+ optional_policy(`
+ mpd_manage_user_data_content($1_t)
+ mpd_relabel_user_data_content($1_t)
')
# for running depmod as part of the kernel packaging process
@@ -645,11 +657,16 @@
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
')
+
+ mysql_manage_mysqld_home_files($1_t)
+ mysql_relabel_mysqld_home_files($1_t)
+ mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
')
optional_policy(`
oident_manage_user_content($1_t)
oident_relabel_user_content($1_t)
+ oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf")
')
optional_policy(`
@@ -670,6 +687,12 @@
')
optional_policy(`
+ ppp_manage_home_files($1_t)
+ ppp_relabel_home_files($1_t)
+ ppp_home_filetrans_ppp_home($1_t, file, ".ppprc")
+ ')
+
+ optional_policy(`
resmgr_stream_connect($1_t)
')
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Changes to the user domain policy module
2012-10-18 18:08 [refpolicy] [PATCH] Changes to the user domain policy module Dominick Grift
@ 2012-10-19 13:23 ` Christopher J. PeBenito
2012-10-19 13:37 ` Dominick Grift
2012-10-30 19:26 ` Dominick Grift
2012-10-31 15:32 ` Christopher J. PeBenito
2 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2012-10-19 13:23 UTC (permalink / raw)
To: refpolicy
On 10/18/12 14:08, Dominick Grift wrote:
>
> Content that (at least) common users need to be able to relabel and
> create with a type transition
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 9d447a2..bcffe18 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -575,6 +575,7 @@
> ')
>
> optional_policy(`
> + alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> alsa_read_rw_config($1_t)
> alsa_relabel_home_files($1_t)
> @@ -629,7 +630,18 @@
> ')
>
> optional_policy(`
> + kerberos_manage_krb5_home_files($1_t)
> + kerberos_relabel_krb5_home_files($1_t)
> + kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
> + ')
> +
> + optional_policy(`
> locate_read_lib_files($1_t)
> + ')
> +
> + optional_policy(`
> + mpd_manage_user_data_content($1_t)
> + mpd_relabel_user_data_content($1_t)
> ')
>
> # for running depmod as part of the kernel packaging process
> @@ -645,11 +657,16 @@
> tunable_policy(`allow_user_mysql_connect',`
> mysql_stream_connect($1_t)
> ')
> +
> + mysql_manage_mysqld_home_files($1_t)
> + mysql_relabel_mysqld_home_files($1_t)
> + mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
> ')
>
> optional_policy(`
> oident_manage_user_content($1_t)
> oident_relabel_user_content($1_t)
> + oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf")
> ')
>
> optional_policy(`
> @@ -670,6 +687,12 @@
> ')
>
> optional_policy(`
> + ppp_manage_home_files($1_t)
> + ppp_relabel_home_files($1_t)
> + ppp_home_filetrans_ppp_home($1_t, file, ".ppprc")
> + ')
> +
> + optional_policy(`
I don't have a problem with the transitions, but I have to think about if it makes sense to abstract away the names inside the interface (i.e. hardcode them) since those details likely belong in the respective modules.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Changes to the user domain policy module
2012-10-19 13:23 ` Christopher J. PeBenito
@ 2012-10-19 13:37 ` Dominick Grift
0 siblings, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2012-10-19 13:37 UTC (permalink / raw)
To: refpolicy
On Fri, 2012-10-19 at 09:23 -0400, Christopher J. PeBenito wrote:
> On 10/18/12 14:08, Dominick Grift wrote:
> >
> > Content that (at least) common users need to be able to relabel and
> > create with a type transition
> >
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > index 9d447a2..bcffe18 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -575,6 +575,7 @@
> > ')
> >
> > optional_policy(`
> > + alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> > alsa_manage_home_files($1_t)
> > alsa_read_rw_config($1_t)
> > alsa_relabel_home_files($1_t)
> > @@ -629,7 +630,18 @@
> > ')
> >
> > optional_policy(`
> > + kerberos_manage_krb5_home_files($1_t)
> > + kerberos_relabel_krb5_home_files($1_t)
> > + kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
> > + ')
> > +
> > + optional_policy(`
> > locate_read_lib_files($1_t)
> > + ')
> > +
> > + optional_policy(`
> > + mpd_manage_user_data_content($1_t)
> > + mpd_relabel_user_data_content($1_t)
> > ')
> >
> > # for running depmod as part of the kernel packaging process
> > @@ -645,11 +657,16 @@
> > tunable_policy(`allow_user_mysql_connect',`
> > mysql_stream_connect($1_t)
> > ')
> > +
> > + mysql_manage_mysqld_home_files($1_t)
> > + mysql_relabel_mysqld_home_files($1_t)
> > + mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
> > ')
> >
> > optional_policy(`
> > oident_manage_user_content($1_t)
> > oident_relabel_user_content($1_t)
> > + oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf")
> > ')
> >
> > optional_policy(`
> > @@ -670,6 +687,12 @@
> > ')
> >
> > optional_policy(`
> > + ppp_manage_home_files($1_t)
> > + ppp_relabel_home_files($1_t)
> > + ppp_home_filetrans_ppp_home($1_t, file, ".ppprc")
> > + ')
> > +
> > + optional_policy(`
>
> I don't have a problem with the transitions, but I have to think about if it makes sense to abstract away the names inside the interface (i.e. hardcode them) since those details likely belong in the respective modules.
>
What is the use of that? that only takes away flexibility.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Changes to the user domain policy module
2012-10-18 18:08 [refpolicy] [PATCH] Changes to the user domain policy module Dominick Grift
2012-10-19 13:23 ` Christopher J. PeBenito
@ 2012-10-30 19:26 ` Dominick Grift
2012-10-31 15:32 ` Christopher J. PeBenito
2 siblings, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2012-10-30 19:26 UTC (permalink / raw)
To: refpolicy
Have you thought about this? I really prefer this
It is much more flexible and will keep things cleaner
I have used this throughout the policy already can changing it will be
much extra work
Can this be merged?
On Thu, 2012-10-18 at 20:08 +0200, Dominick Grift wrote:
> Content that (at least) common users need to be able to relabel and
> create with a type transition
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 9d447a2..bcffe18 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -575,6 +575,7 @@
> ')
>
> optional_policy(`
> + alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> alsa_read_rw_config($1_t)
> alsa_relabel_home_files($1_t)
> @@ -629,7 +630,18 @@
> ')
>
> optional_policy(`
> + kerberos_manage_krb5_home_files($1_t)
> + kerberos_relabel_krb5_home_files($1_t)
> + kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
> + ')
> +
> + optional_policy(`
> locate_read_lib_files($1_t)
> + ')
> +
> + optional_policy(`
> + mpd_manage_user_data_content($1_t)
> + mpd_relabel_user_data_content($1_t)
> ')
>
> # for running depmod as part of the kernel packaging process
> @@ -645,11 +657,16 @@
> tunable_policy(`allow_user_mysql_connect',`
> mysql_stream_connect($1_t)
> ')
> +
> + mysql_manage_mysqld_home_files($1_t)
> + mysql_relabel_mysqld_home_files($1_t)
> + mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
> ')
>
> optional_policy(`
> oident_manage_user_content($1_t)
> oident_relabel_user_content($1_t)
> + oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf")
> ')
>
> optional_policy(`
> @@ -670,6 +687,12 @@
> ')
>
> optional_policy(`
> + ppp_manage_home_files($1_t)
> + ppp_relabel_home_files($1_t)
> + ppp_home_filetrans_ppp_home($1_t, file, ".ppprc")
> + ')
> +
> + optional_policy(`
> resmgr_stream_connect($1_t)
> ')
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Changes to the user domain policy module
2012-10-18 18:08 [refpolicy] [PATCH] Changes to the user domain policy module Dominick Grift
2012-10-19 13:23 ` Christopher J. PeBenito
2012-10-30 19:26 ` Dominick Grift
@ 2012-10-31 15:32 ` Christopher J. PeBenito
2 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2012-10-31 15:32 UTC (permalink / raw)
To: refpolicy
On 10/18/12 14:08, Dominick Grift wrote:
> Content that (at least) common users need to be able to relabel and
> create with a type transition
Merged.
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 9d447a2..bcffe18 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -575,6 +575,7 @@
> ')
>
> optional_policy(`
> + alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> alsa_read_rw_config($1_t)
> alsa_relabel_home_files($1_t)
> @@ -629,7 +630,18 @@
> ')
>
> optional_policy(`
> + kerberos_manage_krb5_home_files($1_t)
> + kerberos_relabel_krb5_home_files($1_t)
> + kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
> + ')
> +
> + optional_policy(`
> locate_read_lib_files($1_t)
> + ')
> +
> + optional_policy(`
> + mpd_manage_user_data_content($1_t)
> + mpd_relabel_user_data_content($1_t)
> ')
>
> # for running depmod as part of the kernel packaging process
> @@ -645,11 +657,16 @@
> tunable_policy(`allow_user_mysql_connect',`
> mysql_stream_connect($1_t)
> ')
> +
> + mysql_manage_mysqld_home_files($1_t)
> + mysql_relabel_mysqld_home_files($1_t)
> + mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
> ')
>
> optional_policy(`
> oident_manage_user_content($1_t)
> oident_relabel_user_content($1_t)
> + oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf")
> ')
>
> optional_policy(`
> @@ -670,6 +687,12 @@
> ')
>
> optional_policy(`
> + ppp_manage_home_files($1_t)
> + ppp_relabel_home_files($1_t)
> + ppp_home_filetrans_ppp_home($1_t, file, ".ppprc")
> + ')
> +
> + optional_policy(`
> resmgr_stream_connect($1_t)
> ')
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-10-31 15:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-18 18:08 [refpolicy] [PATCH] Changes to the user domain policy module Dominick Grift
2012-10-19 13:23 ` Christopher J. PeBenito
2012-10-19 13:37 ` Dominick Grift
2012-10-30 19:26 ` Dominick Grift
2012-10-31 15:32 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.