Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if
policy/modules/system/userdomain.if | 34 ++++++++++++++++++----------------
1 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d5cf579..347d339 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
#
interface(`userdom_ro_home_role',`
gen_require(`
+ attribute user_home_type;
type user_home_t, user_home_dir_t;
')
- role $1 types { user_home_t user_home_dir_t };
+ role $1 types { user_home_type user_home_dir_t };
##############################
#
@@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
allow $2 user_home_dir_t:dir list_dir_perms;
allow $2 user_home_t:dir list_dir_perms;
allow $2 user_home_t:file entrypoint;
- read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
+ read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
+ read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
+ read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
files_list_home($2)
tunable_policy(`use_nfs_home_dirs',`
@@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
#
interface(`userdom_manage_home_role',`
gen_require(`
+ attribute user_home_type;
type user_home_t, user_home_dir_t;
')
- role $1 types { user_home_t user_home_dir_t };
+ role $1 types { user_home_type user_home_dir_t };
##############################
#
@@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
# full control of the home directory
allow $2 user_home_t:file entrypoint;
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
--
1.7.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/8a54e436/attachment.bin
On 07/08/10 11:32, Dominick Grift wrote:
> Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
> Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
> Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
It didn't occur to me before, but we can't make this part of the
changeset. If you look at the sediff before and after this change,
other roles, such as aduitadm, dbadm, and guest gain a bunch of new
permissions. For example, I see:
+ allow dbadm_t thunderbird_home_t : dir { add_name create getattr
ioctl link lock open read relabelfrom relabelto remove_name rename
reparent rmdir search setattr unlink write };
+ allow dbadm_t thunderbird_home_t : fifo_file { append create getattr
ioctl link lock open read relabelfrom relabelto rename setattr unlink
write };
+ allow dbadm_t thunderbird_home_t : file { append create getattr ioctl
link lock open read relabelfrom relabelto rename setattr unlink write };
+ allow dbadm_t thunderbird_home_t : lnk_file { create getattr link
read relabelfrom relabelto rename setattr unlink write };
+ allow dbadm_t thunderbird_home_t : sock_file { append create getattr
ioctl link lock open read relabelfrom relabelto rename setattr unlink
write };
But it doesn't have thunderbird_role().
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if
> policy/modules/system/userdomain.if | 34 ++++++++++++++++++----------------
> 1 files changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d5cf579..347d339 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
> #
> interface(`userdom_ro_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
> allow $2 user_home_dir_t:dir list_dir_perms;
> allow $2 user_home_t:dir list_dir_perms;
> allow $2 user_home_t:file entrypoint;
> - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> + read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> files_list_home($2)
>
> tunable_policy(`use_nfs_home_dirs',`
> @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
> #
> interface(`userdom_manage_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
>
> # full control of the home directory
> allow $2 user_home_t:file entrypoint;
> - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
> files_list_home($2)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/08/10 11:32, Dominick Grift wrote:
> Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
> Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
> Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
>
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if
> policy/modules/system/userdomain.if | 34 ++++++++++++++++++----------------
> 1 files changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d5cf579..347d339 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
> #
> interface(`userdom_ro_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
>
> ##############################
> #
> @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
> allow $2 user_home_dir_t:dir list_dir_perms;
> allow $2 user_home_t:dir list_dir_perms;
> allow $2 user_home_t:file entrypoint;
> - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> + read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> + read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> files_list_home($2)
>
> tunable_policy(`use_nfs_home_dirs',`
> @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
> #
> interface(`userdom_manage_home_role',`
> gen_require(`
> + attribute user_home_type;
> type user_home_t, user_home_dir_t;
> ')
>
> - role $1 types { user_home_t user_home_dir_t };
> + role $1 types { user_home_type user_home_dir_t };
Also, this is wrong. I have removed this and other lines like it in
userdomain.if.
> ##############################
> #
> @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
>
> # full control of the home directory
> allow $2 user_home_t:file entrypoint;
> - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
> files_list_home($2)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com