* [refpolicy] [PATCH v3] Label /var/cache/man with a private man cache type for mandb
@ 2012-10-31 18:02 Dominick Grift
2012-11-26 16:08 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2012-10-31 18:02 UTC (permalink / raw)
To: refpolicy
Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9116567..855792f 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -77,7 +77,7 @@
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..8e188f7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -486,10 +486,10 @@
#
interface(`miscfiles_search_man_pages',`
gen_require(`
- type man_t;
+ type man_t, man_cache_t;
')
- allow $1 man_t:dir search_dir_perms;
+ allow $1 { man_cache_t man_t }:dir search_dir_perms;
files_search_usr($1)
')
@@ -505,10 +505,10 @@
#
interface(`miscfiles_dontaudit_search_man_pages',`
gen_require(`
- type man_t;
+ type man_t, man_cache_t;
')
- dontaudit $1 man_t:dir search_dir_perms;
+ dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
')
########################################
@@ -524,13 +524,13 @@
#
interface(`miscfiles_read_man_pages',`
gen_require(`
- type man_t;
+ type man_t, man_cache_t;
')
files_search_usr($1)
- allow $1 man_t:dir list_dir_perms;
- read_files_pattern($1, man_t, man_t)
- read_lnk_files_pattern($1, man_t, man_t)
+ allow $1 { man_cache_t man_t }:dir list_dir_perms;
+ read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')
########################################
@@ -546,17 +546,14 @@
#
interface(`miscfiles_delete_man_pages',`
gen_require(`
- type man_t;
+ type man_t, man_cache_t;
')
files_search_usr($1)
-
- allow $1 man_t:dir setattr;
- # RH bug #309351
- allow $1 man_t:dir list_dir_perms;
- delete_dirs_pattern($1, man_t, man_t)
- delete_files_pattern($1, man_t, man_t)
- delete_lnk_files_pattern($1, man_t, man_t)
+ allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
+ delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')
########################################
@@ -571,13 +568,56 @@
#
interface(`miscfiles_manage_man_pages',`
gen_require(`
- type man_t;
+ type man_t, man_cache_t;
')
files_search_usr($1)
- manage_dirs_pattern($1, man_t, man_t)
- manage_files_pattern($1, man_t, man_t)
- read_lnk_files_pattern($1, man_t, man_t)
+ manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+')
+
+########################################
+## <summary>
+## Read man cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_man_cache_content',`
+ gen_require(`
+ type man_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 man_cache_t:dir list_dir_perms;
+ allow $1 man_cache_t:file read_file_perms;
+ allow $1 man_cache_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## man cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_man_cache_content',`
+ gen_require(`
+ type man_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 man_cache_t:dir manage_dir_perms;
+ allow $1 man_cache_t:file manage_file_perms;
+ allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
')
########################################
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index dcc5233..c6e5d3b 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -41,6 +41,9 @@
type man_t alias catman_t;
files_type(man_t)
+type man_cache_t;
+files_type(man_cache_t)
+
#
# Types for public content
#
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH v3] Label /var/cache/man with a private man cache type for mandb
2012-10-31 18:02 [refpolicy] [PATCH v3] Label /var/cache/man with a private man cache type for mandb Dominick Grift
@ 2012-11-26 16:08 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2012-11-26 16:08 UTC (permalink / raw)
To: refpolicy
On 10/31/12 14:02, Dominick Grift wrote:
> Since /var/cache/man was previously labeled man_t, make sure that the old
> interfaces with regard to man_t also support man_cache_t
Merged. Tweaked a couple interface names.
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index 9116567..855792f 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -77,7 +77,7 @@
>
> /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
> /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
> -/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> +/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
>
> /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 926ba65..8e188f7 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -486,10 +486,10 @@
> #
> interface(`miscfiles_search_man_pages',`
> gen_require(`
> - type man_t;
> + type man_t, man_cache_t;
> ')
>
> - allow $1 man_t:dir search_dir_perms;
> + allow $1 { man_cache_t man_t }:dir search_dir_perms;
> files_search_usr($1)
> ')
>
> @@ -505,10 +505,10 @@
> #
> interface(`miscfiles_dontaudit_search_man_pages',`
> gen_require(`
> - type man_t;
> + type man_t, man_cache_t;
> ')
>
> - dontaudit $1 man_t:dir search_dir_perms;
> + dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
> ')
>
> ########################################
> @@ -524,13 +524,13 @@
> #
> interface(`miscfiles_read_man_pages',`
> gen_require(`
> - type man_t;
> + type man_t, man_cache_t;
> ')
>
> files_search_usr($1)
> - allow $1 man_t:dir list_dir_perms;
> - read_files_pattern($1, man_t, man_t)
> - read_lnk_files_pattern($1, man_t, man_t)
> + allow $1 { man_cache_t man_t }:dir list_dir_perms;
> + read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> + read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> ')
>
> ########################################
> @@ -546,17 +546,14 @@
> #
> interface(`miscfiles_delete_man_pages',`
> gen_require(`
> - type man_t;
> + type man_t, man_cache_t;
> ')
>
> files_search_usr($1)
> -
> - allow $1 man_t:dir setattr;
> - # RH bug #309351
> - allow $1 man_t:dir list_dir_perms;
> - delete_dirs_pattern($1, man_t, man_t)
> - delete_files_pattern($1, man_t, man_t)
> - delete_lnk_files_pattern($1, man_t, man_t)
> + allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
> + delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> + delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> + delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> ')
>
> ########################################
> @@ -571,13 +568,56 @@
> #
> interface(`miscfiles_manage_man_pages',`
> gen_require(`
> - type man_t;
> + type man_t, man_cache_t;
> ')
>
> files_search_usr($1)
> - manage_dirs_pattern($1, man_t, man_t)
> - manage_files_pattern($1, man_t, man_t)
> - read_lnk_files_pattern($1, man_t, man_t)
> + manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> + manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> + read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
> +')
> +
> +########################################
> +## <summary>
> +## Read man cache content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_read_man_cache_content',`
> + gen_require(`
> + type man_cache_t;
> + ')
> +
> + files_search_var($1)
> + allow $1 man_cache_t:dir list_dir_perms;
> + allow $1 man_cache_t:file read_file_perms;
> + allow $1 man_cache_t:lnk_file read_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## man cache content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_manage_man_cache_content',`
> + gen_require(`
> + type man_cache_t;
> + ')
> +
> + files_search_var($1)
> + allow $1 man_cache_t:dir manage_dir_perms;
> + allow $1 man_cache_t:file manage_file_perms;
> + allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
> ')
>
> ########################################
> diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
> index dcc5233..c6e5d3b 100644
> --- a/policy/modules/system/miscfiles.te
> +++ b/policy/modules/system/miscfiles.te
> @@ -41,6 +41,9 @@
> type man_t alias catman_t;
> files_type(man_t)
>
> +type man_cache_t;
> +files_type(man_cache_t)
> +
> #
> # Types for public content
> #
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-11-26 16:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-31 18:02 [refpolicy] [PATCH v3] Label /var/cache/man with a private man cache type for mandb Dominick Grift
2012-11-26 16:08 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.