From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 09 Jul 2010 08:29:38 -0400 Subject: [refpolicy] [ Simplify user content patch 4/7] userdom_manage_tmp_role In-Reply-To: <20100708153621.GA6791@localhost.localdomain> References: <20100708153621.GA6791@localhost.localdomain> Message-ID: <4C371632.8090803@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/08/10 11:36, Dominick Grift wrote: > Allow callers of the userdom_manage_tmp_role template full control over userdom_user_tmp_content. > > Signed-off-by: Dominick Grift > --- > :100644 100644 162d103... 7aec719... M policy/modules/system/userdomain.if > policy/modules/system/userdomain.if | 9 ++++++++- > 1 files changed, 8 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 162d103..7aec719 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -292,11 +292,13 @@ interface(`userdom_manage_home_role',` > # > interface(`userdom_manage_tmp_role',` > gen_require(` > + attribute user_tmp_type; > type user_tmp_t; > ') > > - role $1 types user_tmp_t; > + role $1 types user_tmp_type; This is wrong. > + # Redundant: in userdomain.te files_policy_member_tmp(userdomain, user_tmp_t) > files_poly_member_tmp($2, user_tmp_t) > > manage_dirs_pattern($2, user_tmp_t, user_tmp_t) > @@ -304,6 +306,11 @@ interface(`userdom_manage_tmp_role',` > manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) > manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) > manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) > + relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) > + relabel_files_pattern($2, user_tmp_type, user_tmp_type) > + relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) > + relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) > + relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) > files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) > ') We can't make this change (see comments for patch 1) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com