From: domg472@gmail.com (Dominick Grift) Date: Tue, 6 Jul 2010 16:31:52 +0200 Subject: [refpolicy] [ userdomain patch 1/1] Allow domains that call userdom_tmp_role() to relabel generic user_tmp_t file objects. Message-ID: <20100706143148.GA19177@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I encountered this requirement when using poly-instantiation: denied { relabelfrom } for pid=14189 comm="sshd" name="system_u:object_r:tmp_t:s0_domg472" dev=dm-3 ino=2884342 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir Athough in refpolicy sshd_t does not call userdom_tmp_role (Makes me wonder how refpolicy deals with poly-instantiation. Nonetheless, to me it seems to make sense that if one give access to manage a type, you may also want to give relabel perms. Oh, and it is untested (but i commited this to my branch and i will test it when i build a new version) Signed-off-by: Dominick Grift --- :100644 100644 42d4e8d... 72203a0... M policy/modules/system/userdomain.if policy/modules/system/userdomain.if | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 42d4e8d..72203a0 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -303,6 +303,12 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + + relabel_dirs_pattern($2, user_tmp_t, user_tmp_t) + relabel_files_pattern($2, user_tmp_t, user_tmp_t) + relabel_lnk_files_pattern($2, user_tmp_t, user_tmp_t) + relabel_sock_files_pattern($2, user_tmp_t, user_tmp_t) + relabel_fifo_files_pattern($2, user_tmp_t, user_tmp_t) ') ####################################### -- 1.7.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100706/d8fa78f7/attachment-0001.bin