From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 09 Jul 2010 08:26:59 -0400
Subject: [refpolicy] [ Simplify user content patch 2/7]
 userdom_ro_home_role and userdom_manage_home_role
In-Reply-To: <20100708153238.GA6701@localhost.localdomain>
References: <20100708153238.GA6701@localhost.localdomain>
Message-ID: <4C371593.6010505@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/08/10 11:32, Dominick Grift wrote:
> Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
> Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
> Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.

It didn't occur to me before, but we can't make this part of the 
changeset.  If you look at the sediff before and after this change, 
other roles, such as aduitadm, dbadm, and guest gain a bunch of new 
permissions.  For example, I see:

	+ allow dbadm_t thunderbird_home_t : dir { add_name create getattr 
ioctl link lock open read relabelfrom relabelto remove_name rename 
reparent rmdir search setattr unlink write };
	+ allow dbadm_t thunderbird_home_t : fifo_file { append create getattr 
ioctl link lock open read relabelfrom relabelto rename setattr unlink 
write };
	+ allow dbadm_t thunderbird_home_t : file { append create getattr ioctl 
link lock open read relabelfrom relabelto rename setattr unlink write };
	+ allow dbadm_t thunderbird_home_t : lnk_file { create getattr link 
read relabelfrom relabelto rename setattr unlink write };
	+ allow dbadm_t thunderbird_home_t : sock_file { append create getattr 
ioctl link lock open read relabelfrom relabelto rename setattr unlink 
write };

But it doesn't have thunderbird_role().

> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 d5cf579... 347d339... M	policy/modules/system/userdomain.if
>   policy/modules/system/userdomain.if |   34 ++++++++++++++++++----------------
>   1 files changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d5cf579..347d339 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
>   #
>   interface(`userdom_ro_home_role',`
>   	gen_require(`
> +		attribute user_home_type;
>   		type user_home_t, user_home_dir_t;
>   	')
>
> -	role $1 types { user_home_t user_home_dir_t };
> +	role $1 types { user_home_type user_home_dir_t };
>
>   	##############################
>   	#
> @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
>   	allow $2 user_home_dir_t:dir list_dir_perms;
>   	allow $2 user_home_t:dir list_dir_perms;
>   	allow $2 user_home_t:file entrypoint;
> -	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> -	read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> -	read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> -	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> +	read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> +	read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> +	read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> +	read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
>   	files_list_home($2)
>
>   	tunable_policy(`use_nfs_home_dirs',`
> @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
>   #
>   interface(`userdom_manage_home_role',`
>   	gen_require(`
> +		attribute user_home_type;
>   		type user_home_t, user_home_dir_t;
>   	')
>
> -	role $1 types { user_home_t user_home_dir_t };
> +	role $1 types { user_home_type user_home_dir_t };
>
>   	##############################
>   	#
> @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
>
>   	# full control of the home directory
>   	allow $2 user_home_t:file entrypoint;
> -	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> +	manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
>   	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
>   	files_list_home($2)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com