From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 06 Jul 2010 13:02:49 -0400
Subject: [refpolicy] [ userdomain patch 1/1] Allow domains that call
 userdom_tmp_role() to relabel generic user_tmp_t file objects.
In-Reply-To: <20100706162243.GB17216@localhost.localdomain>
References: <20100706143148.GA19177@localhost.localdomain>	<4C3354F9.2060404@tresys.com>
	<20100706162243.GB17216@localhost.localdomain>
Message-ID: <4C3361B9.4070606@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/06/10 12:22, Dominick Grift wrote:
> On Tue, Jul 06, 2010 at 12:08:25PM -0400, Christopher J. PeBenito wrote:
>> On 07/06/10 10:31, Dominick Grift wrote:
>>> I encountered this requirement when using poly-instantiation:
>>>
>>> denied  { relabelfrom } for  pid=14189 comm="sshd" name="system_u:object_r:tmp_t:s0_domg472" dev=dm-3 ino=2884342 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
>>>
>>> Athough in refpolicy sshd_t does not call userdom_tmp_role (Makes me wonder how refpolicy deals with poly-instantiation.
>>
>> Not sure what you mean here, but sshd_t should never be calling
>> userdom_tmp_role().  That interface is only for building user
>> roles/user domains.
>
> pulseaudio.if: pulseaudio_role:
>
> 	userdom_manage_home_role($1, pulseaudio_t)
> 	userdom_manage_tmp_role($1, pulseaudio_t)
> 	userdom_manage_tmpfs_role($1, pulseaudio_t)
>
> wm.if: wm_role:
>
> 	userdom_manage_home_role($2, $1_wm_t)
> 	userdom_manage_tmpfs_role($2, $1_wm_t)
> 	userdom_manage_tmp_role($2, $1_wm_t)
>
> etc

I'm already working on removing these.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com