From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 06 Jul 2010 13:08:10 -0400 Subject: [refpolicy] [ userdomain patch 1/1] Allow domains that call userdom_tmp_role() to relabel generic user_tmp_t file objects. In-Reply-To: <20100706170606.GD17216@localhost.localdomain> References: <20100706143148.GA19177@localhost.localdomain> <4C3354F9.2060404@tresys.com> <20100706162243.GB17216@localhost.localdomain> <4C3361B9.4070606@tresys.com> <20100706170606.GD17216@localhost.localdomain> Message-ID: <4C3362FA.4000706@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/06/10 13:06, Dominick Grift wrote: > On Tue, Jul 06, 2010 at 01:02:49PM -0400, Christopher J. PeBenito wrote: >> On 07/06/10 12:22, Dominick Grift wrote: >>> On Tue, Jul 06, 2010 at 12:08:25PM -0400, Christopher J. PeBenito wrote: >>>> On 07/06/10 10:31, Dominick Grift wrote: >>>>> I encountered this requirement when using poly-instantiation: >>>>> >>>>> denied { relabelfrom } for pid=14189 comm="sshd" name="system_u:object_r:tmp_t:s0_domg472" dev=dm-3 ino=2884342 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir >>>>> >>>>> Athough in refpolicy sshd_t does not call userdom_tmp_role (Makes me wonder how refpolicy deals with poly-instantiation. >>>> >>>> Not sure what you mean here, but sshd_t should never be calling >>>> userdom_tmp_role(). That interface is only for building user >>>> roles/user domains. >>> >>> pulseaudio.if: pulseaudio_role: >>> >>> userdom_manage_home_role($1, pulseaudio_t) >>> userdom_manage_tmp_role($1, pulseaudio_t) >>> userdom_manage_tmpfs_role($1, pulseaudio_t) >>> >>> wm.if: wm_role: >>> >>> userdom_manage_home_role($2, $1_wm_t) >>> userdom_manage_tmpfs_role($2, $1_wm_t) >>> userdom_manage_tmp_role($2, $1_wm_t) >>> >>> etc >> >> I'm already working on removing these. > > I am using a modified wm module that has these removed. You may want to see it. It is in my repository. > > As for pulseaudio, removing it will break things and stop pa for functioning with SELinux. Well I'm not actually removing them, but replacing them. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com