All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH v3] Label /var/cache/man with a private man cache type for mandb
@ 2012-10-31 18:02 Dominick Grift
  2012-11-26 16:08 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2012-10-31 18:02 UTC (permalink / raw)
  To: refpolicy

Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9116567..855792f 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -77,7 +77,7 @@
 
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/var/cache/man(/.*)?	gen_context(system_u:object_r:man_cache_t,s0)
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..8e188f7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -486,10 +486,10 @@
 #
 interface(`miscfiles_search_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
-	allow $1 man_t:dir search_dir_perms;
+	allow $1 { man_cache_t man_t }:dir search_dir_perms;
 	files_search_usr($1)
 ')
 
@@ -505,10 +505,10 @@
 #
 interface(`miscfiles_dontaudit_search_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
-	dontaudit $1 man_t:dir search_dir_perms;
+	dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
 ')
 
 ########################################
@@ -524,13 +524,13 @@
 #
 interface(`miscfiles_read_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
 	files_search_usr($1)
-	allow $1 man_t:dir list_dir_perms;
-	read_files_pattern($1, man_t, man_t)
-	read_lnk_files_pattern($1, man_t, man_t)
+	allow $1 { man_cache_t man_t }:dir list_dir_perms;
+	read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 ')
 
 ########################################
@@ -546,17 +546,14 @@
 #
 interface(`miscfiles_delete_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
 	files_search_usr($1)
-
-	allow $1 man_t:dir setattr;
-	# RH bug #309351
-	allow $1 man_t:dir list_dir_perms;
-	delete_dirs_pattern($1, man_t, man_t)
-	delete_files_pattern($1, man_t, man_t)
-	delete_lnk_files_pattern($1, man_t, man_t)
+	allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
+	delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 ')
 
 ########################################
@@ -571,13 +568,56 @@
 #
 interface(`miscfiles_manage_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
 	files_search_usr($1)
-	manage_dirs_pattern($1, man_t, man_t)
-	manage_files_pattern($1, man_t, man_t)
-	read_lnk_files_pattern($1, man_t, man_t)
+	manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+')
+
+########################################
+## <summary>
+##	Read man cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_man_cache_content',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 man_cache_t:dir list_dir_perms;
+	allow $1 man_cache_t:file read_file_perms;
+	allow $1 man_cache_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	man cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_man_cache_content',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 man_cache_t:dir manage_dir_perms;
+	allow $1 man_cache_t:file manage_file_perms;
+	allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index dcc5233..c6e5d3b 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -41,6 +41,9 @@
 type man_t alias catman_t;
 files_type(man_t)
 
+type man_cache_t;
+files_type(man_cache_t)
+
 #
 # Types for public content
 #

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-11-26 16:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-31 18:02 [refpolicy] [PATCH v3] Label /var/cache/man with a private man cache type for mandb Dominick Grift
2012-11-26 16:08 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.