Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 b18abce... 7e541ef... M policy/modules/system/userdomain.if
policy/modules/system/userdomain.if | 20 ++++++++++----------
1 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b18abce..7e541ef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1313,7 +1313,7 @@ interface(`userdom_setattr_user_ptys',`
type user_devpts_t;
')
- allow $1 user_devpts_t:chr_file setattr;
+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
')
########################################
@@ -1655,7 +1655,7 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
type user_home_t;
')
- dontaudit $1 user_home_t:file setattr;
+ dontaudit $1 user_home_t:file setattr_file_perms;
')
########################################
@@ -1730,7 +1730,7 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
type user_home_t;
')
- dontaudit $1 user_home_t:file append;
+ dontaudit $1 user_home_t:file append_file_perms;
')
########################################
@@ -1748,7 +1748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
type user_home_t;
')
- dontaudit $1 user_home_t:file write;
+ dontaudit $1 user_home_t:file write_file_perms;
')
########################################
@@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
type user_home_t;
')
- dontaudit $1 user_home_t:file execute;
+ dontaudit $1 user_home_t:file exec_file_perms;
')
########################################
@@ -2193,7 +2193,7 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
type user_tmp_t;
')
- dontaudit $1 user_tmp_t:file append;
+ dontaudit $1 user_tmp_t:file append_file_perms;
')
########################################
@@ -2467,7 +2467,7 @@ interface(`userdom_getattr_user_ttys',`
type user_tty_device_t;
')
- allow $1 user_tty_device_t:chr_file getattr;
+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
')
########################################
@@ -2485,7 +2485,7 @@ interface(`userdom_dontaudit_getattr_user_ttys',`
type user_tty_device_t;
')
- dontaudit $1 user_tty_device_t:chr_file getattr;
+ dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
')
########################################
@@ -2503,7 +2503,7 @@ interface(`userdom_setattr_user_ttys',`
type user_tty_device_t;
')
- allow $1 user_tty_device_t:chr_file setattr;
+ allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
')
########################################
@@ -2521,7 +2521,7 @@ interface(`userdom_dontaudit_setattr_user_ttys',`
type user_tty_device_t;
')
- dontaudit $1 user_tty_device_t:chr_file setattr;
+ dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
')
########################################
--
1.6.6.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/55c5961d/attachment.bin
On Wed, 2010-03-03 at 17:08 +0100, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
Perhaps you're just not being precise, but getattr and setattr alone
doesn't require the open permission (I realize there are other changes
in the patch that do require open).
> ---
> :100644 100644 b18abce... 7e541ef... M policy/modules/system/userdomain.if
> policy/modules/system/userdomain.if | 20 ++++++++++----------
> 1 files changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index b18abce..7e541ef 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1313,7 +1313,7 @@ interface(`userdom_setattr_user_ptys',`
> type user_devpts_t;
> ')
>
> - allow $1 user_devpts_t:chr_file setattr;
> + allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
> ')
>
> ########################################
> @@ -1655,7 +1655,7 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
> type user_home_t;
> ')
>
> - dontaudit $1 user_home_t:file setattr;
> + dontaudit $1 user_home_t:file setattr_file_perms;
> ')
>
> ########################################
> @@ -1730,7 +1730,7 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
> type user_home_t;
> ')
>
> - dontaudit $1 user_home_t:file append;
> + dontaudit $1 user_home_t:file append_file_perms;
> ')
>
> ########################################
> @@ -1748,7 +1748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
> type user_home_t;
> ')
>
> - dontaudit $1 user_home_t:file write;
> + dontaudit $1 user_home_t:file write_file_perms;
> ')
>
> ########################################
> @@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
> type user_home_t;
> ')
>
> - dontaudit $1 user_home_t:file execute;
> + dontaudit $1 user_home_t:file exec_file_perms;
> ')
>
> ########################################
> @@ -2193,7 +2193,7 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
> type user_tmp_t;
> ')
>
> - dontaudit $1 user_tmp_t:file append;
> + dontaudit $1 user_tmp_t:file append_file_perms;
> ')
>
> ########################################
> @@ -2467,7 +2467,7 @@ interface(`userdom_getattr_user_ttys',`
> type user_tty_device_t;
> ')
>
> - allow $1 user_tty_device_t:chr_file getattr;
> + allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
> ')
>
> ########################################
> @@ -2485,7 +2485,7 @@ interface(`userdom_dontaudit_getattr_user_ttys',`
> type user_tty_device_t;
> ')
>
> - dontaudit $1 user_tty_device_t:chr_file getattr;
> + dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
> ')
>
> ########################################
> @@ -2503,7 +2503,7 @@ interface(`userdom_setattr_user_ttys',`
> type user_tty_device_t;
> ')
>
> - allow $1 user_tty_device_t:chr_file setattr;
> + allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
> ')
>
> ########################################
> @@ -2521,7 +2521,7 @@ interface(`userdom_dontaudit_setattr_user_ttys',`
> type user_tty_device_t;
> ')
>
> - dontaudit $1 user_tty_device_t:chr_file setattr;
> + dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
> ')
>
> ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
I do realize that, and yes it is a bit (too?) enthousiastic. However those permissions sets are there for a reason too.
It pretty odd though to have a getattr_file_perms set just for the getattr permission.
To the point i do nott think those non-open permission sets do harm. except maybe the exec_files_perms.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/033ef339/attachment.bin