From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 09 Jul 2010 08:28:23 -0400 Subject: [refpolicy] [ Simplify user content patch 6/7] userdom_manage_tmpfs_role In-Reply-To: <20100708154044.GA6869@localhost.localdomain> References: <20100708154044.GA6869@localhost.localdomain> Message-ID: <4C3715E7.7040001@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/08/10 11:40, Dominick Grift wrote: > Allow user domain for which userdom_manage_tmpfs_role template is called to manage and relabel all userdom_user_tmpfs_content. > Fix userdom_user_tmp_content template (forgot some stuff) > TODO: > Remove all rules that implicitly allow login user domains to manage/relabel user tmpfs files. We can't make this change (see patch 1 comments). > Signed-off-by: Dominick Grift > --- > :100644 100644 728d1fa... d0f53d5... M policy/modules/system/userdomain.if > policy/modules/system/userdomain.if | 30 ++++++++++++++++++------------ > 1 files changed, 18 insertions(+), 12 deletions(-) > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 728d1fa..d0f53d5 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -301,11 +301,11 @@ interface(`userdom_manage_tmp_role',` > # Redundant: in userdomain.te files_policy_member_tmp(userdomain, user_tmp_t) > files_poly_member_tmp($2, user_tmp_t) > > - manage_dirs_pattern($2, user_tmp_t, user_tmp_t) > - manage_files_pattern($2, user_tmp_t, user_tmp_t) > - manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) > - manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) > - manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) > + manage_dirs_pattern($2, user_tmp_type, user_tmp_type) > + manage_files_pattern($2, user_tmp_type, user_tmp_type) > + manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) > + manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) > + manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) > relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) > relabel_files_pattern($2, user_tmp_type, user_tmp_type) > relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) > @@ -362,16 +362,22 @@ interface(`userdom_exec_user_tmp_files',` > # > interface(`userdom_manage_tmpfs_role',` > gen_require(` > + attribute user_tmpfs_type; > type user_tmpfs_t; > ') > > - role $1 types user_tmpfs_t; > + role $1 types user_tmpfs_type; > > - manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) > - manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) > - manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) > - manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) > - manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) > + manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) > + manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > + manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > + manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > + manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > + relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) > + relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > + relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > + relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > + relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) > fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > ') > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com