Confined users can manage and relabel alsa home files.
Plus some cleanups inspired by example policy.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 69aa742... 376f4f7... M policy/modules/admin/alsa.if
:100644 100644 0c9876c... f9c23ed... M policy/modules/roles/staff.te
:100644 100644 2a19751... db0ebdd... M policy/modules/roles/sysadm.te
:100644 100644 e8a507d... a7620a4... M policy/modules/roles/unprivuser.te
policy/modules/admin/alsa.if | 53 +++++++++++++++++++++++++++++++-----
policy/modules/roles/staff.te | 5 +++
policy/modules/roles/sysadm.te | 5 +++
policy/modules/roles/unprivuser.te | 5 +++
4 files changed, 61 insertions(+), 7 deletions(-)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 69aa742..376f4f7 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Execute a domain transition to run Alsa.
+## Transition to the alsa domain.
## </summary>
## <param name="domain">
## <summary>
@@ -16,12 +16,13 @@ interface(`alsa_domtrans',`
')
corecmd_search_bin($1)
+ files_search_usr($1)
domtrans_pattern($1, alsa_exec_t, alsa_t)
')
########################################
## <summary>
-## Read and write Alsa semaphores.
+## Read and write alsa semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -39,7 +40,7 @@ interface(`alsa_rw_semaphores',`
########################################
## <summary>
-## Read and write Alsa shared memory.
+## Read and write alsa shared memory.
## </summary>
## <param name="domain">
## <summary>
@@ -57,7 +58,7 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa config files.
+## Read writable alsa configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -82,7 +83,7 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Create, read, write, and delete writable alsa configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -107,7 +108,26 @@ interface(`alsa_manage_rw_config',`
########################################
## <summary>
-## Read Alsa home files.
+## Manage alsa home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_home_files', `
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read alsa home files.
## </summary>
## <param name="domain">
## <summary>
@@ -126,7 +146,26 @@ interface(`alsa_read_home_files',`
########################################
## <summary>
-## Read Alsa lib files.
+## Relabel alsa home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_relabel_home_files', `
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Read alsa lib files.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0c9876c..f9c23ed 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -53,6 +53,11 @@ optional_policy(`
ifndef(`distro_redhat',`
optional_policy(`
+ alsa_manage_home_files(staff_t)
+ alsa_relabel_home_files(staff_t)
+ ')
+
+ optional_policy(`
auth_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751..db0ebdd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -399,6 +399,11 @@ optional_policy(`
ifndef(`distro_redhat',`
optional_policy(`
+ alsa_manage_home_files(sysadm_t)
+ alsa_relabel_home_files(sysadm_t)
+ ')
+
+ optional_policy(`
auth_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e8a507d..a7620a4 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -26,6 +26,11 @@ optional_policy(`
ifndef(`distro_redhat',`
optional_policy(`
+ alsa_manage_home_files(user_t)
+ alsa_relabel_home_files(user_t)
+ ')
+
+ optional_policy(`
auth_role(user_r, user_t)
')
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100908/34c0bd17/attachment.bin
On 09/08/10 06:41, Dominick Grift wrote:
> Confined users can manage and relabel alsa home files.
>
> Plus some cleanups inspired by example policy.
>
> Signed-off-by: Dominick Grift<[email protected]>
> ---
[...]
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 0c9876c..f9c23ed 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -53,6 +53,11 @@ optional_policy(`
>
> ifndef(`distro_redhat',`
> optional_policy(`
> + alsa_manage_home_files(staff_t)
> + alsa_relabel_home_files(staff_t)
> + ')
Is there a reason why this needs to be excluded on redhat systems?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Thu, Sep 09, 2010 at 08:55:13AM -0400, Christopher J. PeBenito wrote:
> On 09/08/10 06:41, Dominick Grift wrote:
> >Confined users can manage and relabel alsa home files.
> >
> >Plus some cleanups inspired by example policy.
> >
> >Signed-off-by: Dominick Grift<[email protected]>
> >---
> [...]
> >diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> >index 0c9876c..f9c23ed 100644
> >--- a/policy/modules/roles/staff.te
> >+++ b/policy/modules/roles/staff.te
> >@@ -53,6 +53,11 @@ optional_policy(`
> >
> > ifndef(`distro_redhat',`
> > optional_policy(`
> >+ alsa_manage_home_files(staff_t)
> >+ alsa_relabel_home_files(staff_t)
> >+ ')
>
> Is there a reason why this needs to be excluded on redhat systems?
Yes confined users can manage and relabel all userdom_user_home_content by default (so its redundant)
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100909/22228b2d/attachment.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/09/2010 08:57 AM, Dominick Grift wrote:
> On Thu, Sep 09, 2010 at 08:55:13AM -0400, Christopher J. PeBenito wrote:
>> On 09/08/10 06:41, Dominick Grift wrote:
>>> Confined users can manage and relabel alsa home files.
>>>
>>> Plus some cleanups inspired by example policy.
>>>
>>> Signed-off-by: Dominick Grift<[email protected]>
>>> ---
>> [...]
>>> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
>>> index 0c9876c..f9c23ed 100644
>>> --- a/policy/modules/roles/staff.te
>>> +++ b/policy/modules/roles/staff.te
>>> @@ -53,6 +53,11 @@ optional_policy(`
>>>
>>> ifndef(`distro_redhat',`
>>> optional_policy(`
>>> + alsa_manage_home_files(staff_t)
>>> + alsa_relabel_home_files(staff_t)
>>> + ')
>>
>> Is there a reason why this needs to be excluded on redhat systems?
>
> Yes confined users can manage and relabel all userdom_user_home_content by default (so its redundant)
I would rather this not be there, to stop the type of question that
Chris asked. Redundancy is not a problem.
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> http://www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyI5a8ACgkQrlYvE4MpobOu7ACeOObY66KGhzvhYddk0s182i9a
uwgAnA9E37RN0D2fXkOUrzuWxLz+Xkxh
=Hou2
-----END PGP SIGNATURE-----
On 09/09/10 09:48, Daniel J Walsh wrote:
> On 09/09/2010 08:57 AM, Dominick Grift wrote:
>> On Thu, Sep 09, 2010 at 08:55:13AM -0400, Christopher J. PeBenito wrote:
>>> On 09/08/10 06:41, Dominick Grift wrote:
>>>> Confined users can manage and relabel alsa home files.
>>>>
>>>> Plus some cleanups inspired by example policy.
>>>>
>>>> Signed-off-by: Dominick Grift<[email protected]>
>>>> ---
>>> [...]
>>>> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
>>>> index 0c9876c..f9c23ed 100644
>>>> --- a/policy/modules/roles/staff.te
>>>> +++ b/policy/modules/roles/staff.te
>>>> @@ -53,6 +53,11 @@ optional_policy(`
>>>>
>>>> ifndef(`distro_redhat',`
>>>> optional_policy(`
>>>> + alsa_manage_home_files(staff_t)
>>>> + alsa_relabel_home_files(staff_t)
>>>> + ')
>>>
>>> Is there a reason why this needs to be excluded on redhat systems?
>>
>> Yes confined users can manage and relabel all userdom_user_home_content by default (so its redundant)
> I would rather this not be there, to stop the type of question that
> Chris asked. Redundancy is not a problem.
I agree. While I try to remove redundancy, in this case, not having it
invites questions, since it stands out (conditional rules tend to draw
attention).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Thu, Sep 09, 2010 at 10:59:09AM -0400, Christopher J. PeBenito wrote:
> On 09/09/10 09:48, Daniel J Walsh wrote:
> >On 09/09/2010 08:57 AM, Dominick Grift wrote:
> >>On Thu, Sep 09, 2010 at 08:55:13AM -0400, Christopher J. PeBenito wrote:
> >>>On 09/08/10 06:41, Dominick Grift wrote:
> >>>>Confined users can manage and relabel alsa home files.
> >>>>
> >>>>Plus some cleanups inspired by example policy.
> >>>>
> >>>>Signed-off-by: Dominick Grift<[email protected]>
> >>>>---
> >>>[...]
> >>>>diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> >>>>index 0c9876c..f9c23ed 100644
> >>>>--- a/policy/modules/roles/staff.te
> >>>>+++ b/policy/modules/roles/staff.te
> >>>>@@ -53,6 +53,11 @@ optional_policy(`
> >>>>
> >>>> ifndef(`distro_redhat',`
> >>>> optional_policy(`
> >>>>+ alsa_manage_home_files(staff_t)
> >>>>+ alsa_relabel_home_files(staff_t)
> >>>>+ ')
> >>>
> >>>Is there a reason why this needs to be excluded on redhat systems?
> >>
> >>Yes confined users can manage and relabel all userdom_user_home_content by default (so its redundant)
> >I would rather this not be there, to stop the type of question that
> >Chris asked. Redundancy is not a problem.
>
> I agree. While I try to remove redundancy, in this case, not having
> it invites questions, since it stands out (conditional rules tend to
> draw attention).
Let me throw in the consistency argument here:
if you look in staff.te you will notice that:
optional_policy(`
oident_manage_user_content(staff_t)
oident_relabel_user_content(staff_t)
')
is also in the ifndef distro_redhat block. This is exactly the same issue.
So why would alsa not be in there and oident be in there
Also i could put your questions the other way, i would instead ask why this policy is duplicate.
Its not the conditional block perse that raises questions, its the fact that refpolicy and fedora both use different policy.
Thats in my view the core issue.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100909/401ab311/attachment.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/09/2010 11:10 AM, Dominick Grift wrote:
> On Thu, Sep 09, 2010 at 10:59:09AM -0400, Christopher J. PeBenito wrote:
>> On 09/09/10 09:48, Daniel J Walsh wrote:
>>> On 09/09/2010 08:57 AM, Dominick Grift wrote:
>>>> On Thu, Sep 09, 2010 at 08:55:13AM -0400, Christopher J. PeBenito wrote:
>>>>> On 09/08/10 06:41, Dominick Grift wrote:
>>>>>> Confined users can manage and relabel alsa home files.
>>>>>>
>>>>>> Plus some cleanups inspired by example policy.
>>>>>>
>>>>>> Signed-off-by: Dominick Grift<[email protected]>
>>>>>> ---
>>>>> [...]
>>>>>> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
>>>>>> index 0c9876c..f9c23ed 100644
>>>>>> --- a/policy/modules/roles/staff.te
>>>>>> +++ b/policy/modules/roles/staff.te
>>>>>> @@ -53,6 +53,11 @@ optional_policy(`
>>>>>>
>>>>>> ifndef(`distro_redhat',`
>>>>>> optional_policy(`
>>>>>> + alsa_manage_home_files(staff_t)
>>>>>> + alsa_relabel_home_files(staff_t)
>>>>>> + ')
>>>>>
>>>>> Is there a reason why this needs to be excluded on redhat systems?
>>>>
>>>> Yes confined users can manage and relabel all userdom_user_home_content by default (so its redundant)
>>> I would rather this not be there, to stop the type of question that
>>> Chris asked. Redundancy is not a problem.
>>
>> I agree. While I try to remove redundancy, in this case, not having
>> it invites questions, since it stands out (conditional rules tend to
>> draw attention).
>
> Let me throw in the consistency argument here:
>
> if you look in staff.te you will notice that:
>
> optional_policy(`
> oident_manage_user_content(staff_t)
> oident_relabel_user_content(staff_t)
> ')
>
> is also in the ifndef distro_redhat block. This is exactly the same issue.
> So why would alsa not be in there and oident be in there
>
> Also i could put your questions the other way, i would instead ask why this policy is duplicate.
> Its not the conditional block perse that raises questions, its the fact that refpolicy and fedora both use different policy.
> Thats in my view the core issue.
>
>
>
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> http://www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
That being exclueded in staff_t is a mistake. I just want to eliminate
all default role transitions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyJI8UACgkQrlYvE4MpobOuQgCfZo/ungE9rKZR96ED1H6GQjSo
vjwAoOuEvGziYiNwXTvTRaEp1C5SDJxo
=oG+/
-----END PGP SIGNATURE-----