From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 06 Jul 2010 12:08:25 -0400 Subject: [refpolicy] [ userdomain patch 1/1] Allow domains that call userdom_tmp_role() to relabel generic user_tmp_t file objects. In-Reply-To: <20100706143148.GA19177@localhost.localdomain> References: <20100706143148.GA19177@localhost.localdomain> Message-ID: <4C3354F9.2060404@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/06/10 10:31, Dominick Grift wrote: > I encountered this requirement when using poly-instantiation: > > denied { relabelfrom } for pid=14189 comm="sshd" name="system_u:object_r:tmp_t:s0_domg472" dev=dm-3 ino=2884342 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir > > Athough in refpolicy sshd_t does not call userdom_tmp_role (Makes me wonder how refpolicy deals with poly-instantiation. Not sure what you mean here, but sshd_t should never be calling userdom_tmp_role(). That interface is only for building user roles/user domains. > Nonetheless, to me it seems to make sense that if one give access to manage a type, you may also want to give relabel perms. NAK Relabeling is special. There are a few exceptions, but it should almost always be separate from manage permissions. > Oh, and it is untested (but i commited this to my branch and i will test it when i build a new version) > > Signed-off-by: Dominick Grift > --- > :100644 100644 42d4e8d... 72203a0... M policy/modules/system/userdomain.if > policy/modules/system/userdomain.if | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 42d4e8d..72203a0 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -303,6 +303,12 @@ interface(`userdom_manage_tmp_role',` > manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) > manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) > files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) > + > + relabel_dirs_pattern($2, user_tmp_t, user_tmp_t) > + relabel_files_pattern($2, user_tmp_t, user_tmp_t) > + relabel_lnk_files_pattern($2, user_tmp_t, user_tmp_t) > + relabel_sock_files_pattern($2, user_tmp_t, user_tmp_t) > + relabel_fifo_files_pattern($2, user_tmp_t, user_tmp_t) > ') > > ####################################### > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com