Unconditional.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if
:100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te
:100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te
:100644 100644 9b55b00... 763edf3... M policy/modules/roles/unprivuser.te
policy/modules/admin/alsa.if | 38 ++++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 5 ++++
policy/modules/roles/sysadm.te | 5 ++++
policy/modules/roles/unprivuser.te | 5 ++++
4 files changed, 53 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 69aa742..978edf4 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -126,6 +126,44 @@ interface(`alsa_read_home_files',`
########################################
## <summary>
+## Relabel alsa home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_relabel_home_files',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Manage alsa home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_home_files',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Read Alsa lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 1854002..cfc307b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
#
optional_policy(`
+ alsa_manage_home_files(staff_t)
+ alsa_relabel_home_files(staff_t)
+')
+
+optional_policy(`
apache_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751..c81e389 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',`
')
optional_policy(`
+ alsa_manage_home_files(sysadm_t)
+ alsa_relabel_home_files(sysadm_t)
+')
+
+optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 9b55b00..763edf3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -13,6 +13,11 @@ role user_r;
userdom_unpriv_user_template(user)
optional_policy(`
+ alsa_manage_home_files(user_t)
+ alsa_relabel_home_files(user_t)
+')
+
+optional_policy(`
apache_role(user_r, user_t)
')
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100916/49caea52/attachment.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/16/2010 08:49 AM, Dominick Grift wrote:
> Unconditional.
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if
> :100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te
> :100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te
> :100644 100644 9b55b00... 763edf3... M policy/modules/roles/unprivuser.te
> policy/modules/admin/alsa.if | 38 ++++++++++++++++++++++++++++++++++++
> policy/modules/roles/staff.te | 5 ++++
> policy/modules/roles/sysadm.te | 5 ++++
> policy/modules/roles/unprivuser.te | 5 ++++
> 4 files changed, 53 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
> index 69aa742..978edf4 100644
> --- a/policy/modules/admin/alsa.if
> +++ b/policy/modules/admin/alsa.if
> @@ -126,6 +126,44 @@ interface(`alsa_read_home_files',`
>
> ########################################
> ## <summary>
> +## Relabel alsa home files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`alsa_relabel_home_files',`
> + gen_require(`
> + type alsa_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> + allow $1 alsa_home_t:file relabel_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage alsa home files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`alsa_manage_home_files',`
> + gen_require(`
> + type alsa_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> + allow $1 alsa_home_t:file manage_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read Alsa lib files.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 1854002..cfc307b 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
> #
>
> optional_policy(`
> + alsa_manage_home_files(staff_t)
> + alsa_relabel_home_files(staff_t)
> +')
> +
> +optional_policy(`
> apache_role(staff_r, staff_t)
> ')
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 2a19751..c81e389 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',`
> ')
>
> optional_policy(`
> + alsa_manage_home_files(sysadm_t)
> + alsa_relabel_home_files(sysadm_t)
> +')
> +
> +optional_policy(`
> amanda_run_recover(sysadm_t, sysadm_r)
> ')
>
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 9b55b00..763edf3 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -13,6 +13,11 @@ role user_r;
> userdom_unpriv_user_template(user)
>
> optional_policy(`
> + alsa_manage_home_files(user_t)
> + alsa_relabel_home_files(user_t)
> +')
Wouldn't it be better to put these in> userdom_unpriv_user_template
> +
> +optional_policy(`
> apache_role(user_r, user_t)
> ')
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkySMpcACgkQrlYvE4MpobNwygCgwNmlYmL9F01k3suhhLskW0Oo
Rg0AoKO+IkaoexK30IewWYq7n8/oUOaz
=cxqk
-----END PGP SIGNATURE-----
On 09/16/10 11:07, Daniel J Walsh wrote:
> On 09/16/2010 08:49 AM, Dominick Grift wrote:
>> Unconditional.
>>
>> Signed-off-by: Dominick Grift<[email protected]>
>> ---
>> :100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if
>> :100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te
>> :100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te
>> :100644 100644 9b55b00... 763edf3... M policy/modules/roles/unprivuser.te
>> policy/modules/admin/alsa.if | 38 ++++++++++++++++++++++++++++++++++++
>> policy/modules/roles/staff.te | 5 ++++
>> policy/modules/roles/sysadm.te | 5 ++++
>> policy/modules/roles/unprivuser.te | 5 ++++
>> 4 files changed, 53 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
>> index 69aa742..978edf4 100644
>> --- a/policy/modules/admin/alsa.if
>> +++ b/policy/modules/admin/alsa.if
>> @@ -126,6 +126,44 @@ interface(`alsa_read_home_files',`
>>
>> ########################################
>> ##<summary>
>> +## Relabel alsa home files.
>> +##</summary>
>> +##<param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +##</param>
>> +#
>> +interface(`alsa_relabel_home_files',`
>> + gen_require(`
>> + type alsa_home_t;
>> + ')
>> +
>> + userdom_search_user_home_dirs($1)
>> + allow $1 alsa_home_t:file relabel_file_perms;
>> +')
>> +
>> +########################################
>> +##<summary>
>> +## Manage alsa home files.
>> +##</summary>
>> +##<param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +##</param>
>> +#
>> +interface(`alsa_manage_home_files',`
>> + gen_require(`
>> + type alsa_home_t;
>> + ')
>> +
>> + userdom_search_user_home_dirs($1)
>> + allow $1 alsa_home_t:file manage_file_perms;
>> +')
>> +
>> +########################################
>> +##<summary>
>> ## Read Alsa lib files.
>> ##</summary>
>> ##<param name="domain">
>> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
>> index 1854002..cfc307b 100644
>> --- a/policy/modules/roles/staff.te
>> +++ b/policy/modules/roles/staff.te
>> @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
>> #
>>
>> optional_policy(`
>> + alsa_manage_home_files(staff_t)
>> + alsa_relabel_home_files(staff_t)
>> +')
>> +
>> +optional_policy(`
>> apache_role(staff_r, staff_t)
>> ')
>>
>> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
>> index 2a19751..c81e389 100644
>> --- a/policy/modules/roles/sysadm.te
>> +++ b/policy/modules/roles/sysadm.te
>> @@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',`
>> ')
>>
>> optional_policy(`
>> + alsa_manage_home_files(sysadm_t)
>> + alsa_relabel_home_files(sysadm_t)
>> +')
>> +
>> +optional_policy(`
>> amanda_run_recover(sysadm_t, sysadm_r)
>> ')
>>
>> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
>> index 9b55b00..763edf3 100644
>> --- a/policy/modules/roles/unprivuser.te
>> +++ b/policy/modules/roles/unprivuser.te
>> @@ -13,6 +13,11 @@ role user_r;
>> userdom_unpriv_user_template(user)
>>
>> optional_policy(`
>> + alsa_manage_home_files(user_t)
>> + alsa_relabel_home_files(user_t)
>> +')
>
> Wouldn't it be better to put these in> userdom_unpriv_user_template
If you wanted to cover all three roles, userdom_common_user_template()
would be the one to use.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/17/2010 08:34 AM, Christopher J. PeBenito wrote:
> On 09/16/10 11:07, Daniel J Walsh wrote:
>> On 09/16/2010 08:49 AM, Dominick Grift wrote:
>>> Unconditional.
>>>
>>> Signed-off-by: Dominick Grift<[email protected]>
>>> ---
>>> :100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if
>>> :100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te
>>> :100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te
>>> :100644 100644 9b55b00... 763edf3... M
>>> policy/modules/roles/unprivuser.te
>>> policy/modules/admin/alsa.if | 38
>>> ++++++++++++++++++++++++++++++++++++
>>> policy/modules/roles/staff.te | 5 ++++
>>> policy/modules/roles/sysadm.te | 5 ++++
>>> policy/modules/roles/unprivuser.te | 5 ++++
>>> 4 files changed, 53 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
>>> index 69aa742..978edf4 100644
>>> --- a/policy/modules/admin/alsa.if
>>> +++ b/policy/modules/admin/alsa.if
>>> @@ -126,6 +126,44 @@ interface(`alsa_read_home_files',`
>>>
>>> ########################################
>>> ##<summary>
>>> +## Relabel alsa home files.
>>> +##</summary>
>>> +##<param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +##</param>
>>> +#
>>> +interface(`alsa_relabel_home_files',`
>>> + gen_require(`
>>> + type alsa_home_t;
>>> + ')
>>> +
>>> + userdom_search_user_home_dirs($1)
>>> + allow $1 alsa_home_t:file relabel_file_perms;
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> +## Manage alsa home files.
>>> +##</summary>
>>> +##<param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +##</param>
>>> +#
>>> +interface(`alsa_manage_home_files',`
>>> + gen_require(`
>>> + type alsa_home_t;
>>> + ')
>>> +
>>> + userdom_search_user_home_dirs($1)
>>> + allow $1 alsa_home_t:file manage_file_perms;
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> ## Read Alsa lib files.
>>> ##</summary>
>>> ##<param name="domain">
>>> diff --git a/policy/modules/roles/staff.te
>>> b/policy/modules/roles/staff.te
>>> index 1854002..cfc307b 100644
>>> --- a/policy/modules/roles/staff.te
>>> +++ b/policy/modules/roles/staff.te
>>> @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
>>> #
>>>
>>> optional_policy(`
>>> + alsa_manage_home_files(staff_t)
>>> + alsa_relabel_home_files(staff_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> apache_role(staff_r, staff_t)
>>> ')
>>>
>>> diff --git a/policy/modules/roles/sysadm.te
>>> b/policy/modules/roles/sysadm.te
>>> index 2a19751..c81e389 100644
>>> --- a/policy/modules/roles/sysadm.te
>>> +++ b/policy/modules/roles/sysadm.te
>>> @@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',`
>>> ')
>>>
>>> optional_policy(`
>>> + alsa_manage_home_files(sysadm_t)
>>> + alsa_relabel_home_files(sysadm_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> amanda_run_recover(sysadm_t, sysadm_r)
>>> ')
>>>
>>> diff --git a/policy/modules/roles/unprivuser.te
>>> b/policy/modules/roles/unprivuser.te
>>> index 9b55b00..763edf3 100644
>>> --- a/policy/modules/roles/unprivuser.te
>>> +++ b/policy/modules/roles/unprivuser.te
>>> @@ -13,6 +13,11 @@ role user_r;
>>> userdom_unpriv_user_template(user)
>>>
>>> optional_policy(`
>>> + alsa_manage_home_files(user_t)
>>> + alsa_relabel_home_files(user_t)
>>> +')
>>
>> Wouldn't it be better to put these in> userdom_unpriv_user_template
>
> If you wanted to cover all three roles, userdom_common_user_template()
> would be the one to use.
>
I believe sysadm_t can already do this anyways. But I don't like
sysadm_t being used as a standard login domain. I guess I don't like it
at all...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyTaGoACgkQrlYvE4MpobNC5gCgjwqk+Fo1M+rFHhoELLze2XuM
cIUAoOYHK594t0wmudQJIlLOLr2fAbVj
=upHg
-----END PGP SIGNATURE-----