From: domg472@gmail.com (Dominick Grift) Date: Thu, 8 Jul 2010 17:32:41 +0200 Subject: [refpolicy] [ Simplify user content patch 2/7] userdom_ro_home_role and userdom_manage_home_role Message-ID: <20100708153238.GA6701@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type. Allow users that call userdom_ro_home_role() to read all userdom_user_home_content. Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content. Signed-off-by: Dominick Grift --- :100644 100644 d5cf579... 347d339... M policy/modules/system/userdomain.if policy/modules/system/userdomain.if | 34 ++++++++++++++++++---------------- 1 files changed, 18 insertions(+), 16 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index d5cf579..347d339 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -146,10 +146,11 @@ template(`userdom_base_user_template',` # interface(`userdom_ro_home_role',` gen_require(` + attribute user_home_type; type user_home_t, user_home_dir_t; ') - role $1 types { user_home_t user_home_dir_t }; + role $1 types { user_home_type user_home_dir_t }; ############################## # @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',` allow $2 user_home_dir_t:dir list_dir_perms; allow $2 user_home_t:dir list_dir_perms; allow $2 user_home_t:file entrypoint; - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type) + read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type) + read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type) + read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type) files_list_home($2) tunable_policy(`use_nfs_home_dirs',` @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',` # interface(`userdom_manage_home_role',` gen_require(` + attribute user_home_type; type user_home_t, user_home_dir_t; ') - role $1 types { user_home_t user_home_dir_t }; + role $1 types { user_home_type user_home_dir_t }; ############################## # @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',` # full control of the home directory allow $2 user_home_t:file entrypoint; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -- 1.7.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/8a54e436/attachment.bin