From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 03 Mar 2010 11:10:39 -0500 Subject: [refpolicy] [ userdomain patch 1/1] Fix various interfaces to use permission sets for compatiblity with open permission. In-Reply-To: <20100303160816.GA22737@localhost.localdomain> References: <20100303160816.GA22737@localhost.localdomain> Message-ID: <1267632639.30557.98.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-03-03 at 17:08 +0100, Dominick Grift wrote: > Signed-off-by: Dominick Grift Perhaps you're just not being precise, but getattr and setattr alone doesn't require the open permission (I realize there are other changes in the patch that do require open). > --- > :100644 100644 b18abce... 7e541ef... M policy/modules/system/userdomain.if > policy/modules/system/userdomain.if | 20 ++++++++++---------- > 1 files changed, 10 insertions(+), 10 deletions(-) > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index b18abce..7e541ef 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -1313,7 +1313,7 @@ interface(`userdom_setattr_user_ptys',` > type user_devpts_t; > ') > > - allow $1 user_devpts_t:chr_file setattr; > + allow $1 user_devpts_t:chr_file setattr_chr_file_perms; > ') > > ######################################## > @@ -1655,7 +1655,7 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` > type user_home_t; > ') > > - dontaudit $1 user_home_t:file setattr; > + dontaudit $1 user_home_t:file setattr_file_perms; > ') > > ######################################## > @@ -1730,7 +1730,7 @@ interface(`userdom_dontaudit_append_user_home_content_files',` > type user_home_t; > ') > > - dontaudit $1 user_home_t:file append; > + dontaudit $1 user_home_t:file append_file_perms; > ') > > ######################################## > @@ -1748,7 +1748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` > type user_home_t; > ') > > - dontaudit $1 user_home_t:file write; > + dontaudit $1 user_home_t:file write_file_perms; > ') > > ######################################## > @@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_exec_user_home_content_files',` > type user_home_t; > ') > > - dontaudit $1 user_home_t:file execute; > + dontaudit $1 user_home_t:file exec_file_perms; > ') > > ######################################## > @@ -2193,7 +2193,7 @@ interface(`userdom_dontaudit_append_user_tmp_files',` > type user_tmp_t; > ') > > - dontaudit $1 user_tmp_t:file append; > + dontaudit $1 user_tmp_t:file append_file_perms; > ') > > ######################################## > @@ -2467,7 +2467,7 @@ interface(`userdom_getattr_user_ttys',` > type user_tty_device_t; > ') > > - allow $1 user_tty_device_t:chr_file getattr; > + allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; > ') > > ######################################## > @@ -2485,7 +2485,7 @@ interface(`userdom_dontaudit_getattr_user_ttys',` > type user_tty_device_t; > ') > > - dontaudit $1 user_tty_device_t:chr_file getattr; > + dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; > ') > > ######################################## > @@ -2503,7 +2503,7 @@ interface(`userdom_setattr_user_ttys',` > type user_tty_device_t; > ') > > - allow $1 user_tty_device_t:chr_file setattr; > + allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; > ') > > ######################################## > @@ -2521,7 +2521,7 @@ interface(`userdom_dontaudit_setattr_user_ttys',` > type user_tty_device_t; > ') > > - dontaudit $1 user_tty_device_t:chr_file setattr; > + dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; > ') > > ######################################## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150