From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 09 Jul 2010 08:37:20 -0400
Subject: [refpolicy] [ Simplify user content patch 2/7]
 userdom_ro_home_role and userdom_manage_home_role
In-Reply-To: <20100708153238.GA6701@localhost.localdomain>
References: <20100708153238.GA6701@localhost.localdomain>
Message-ID: <4C371800.7020702@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/08/10 11:32, Dominick Grift wrote:
> Edit userdom_manage_home_role and userdom_ro_home_role to include attribute user_home_type.
> Allow users that call userdom_ro_home_role() to read all userdom_user_home_content.
> Allow users that call userdom_manange_home_role() to manage and relabel all userdom_user_home_content.
>
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 d5cf579... 347d339... M	policy/modules/system/userdomain.if
>   policy/modules/system/userdomain.if |   34 ++++++++++++++++++----------------
>   1 files changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d5cf579..347d339 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -146,10 +146,11 @@ template(`userdom_base_user_template',`
>   #
>   interface(`userdom_ro_home_role',`
>   	gen_require(`
> +		attribute user_home_type;
>   		type user_home_t, user_home_dir_t;
>   	')
>
> -	role $1 types { user_home_t user_home_dir_t };
> +	role $1 types { user_home_type user_home_dir_t };
>
>   	##############################
>   	#
> @@ -162,10 +163,10 @@ interface(`userdom_ro_home_role',`
>   	allow $2 user_home_dir_t:dir list_dir_perms;
>   	allow $2 user_home_t:dir list_dir_perms;
>   	allow $2 user_home_t:file entrypoint;
> -	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> -	read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> -	read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> -	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> +	read_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> +	read_lnk_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> +	read_fifo_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
> +	read_sock_files_pattern($2, { user_home_type user_home_dir_t }, user_home_type)
>   	files_list_home($2)
>
>   	tunable_policy(`use_nfs_home_dirs',`
> @@ -219,10 +220,11 @@ interface(`userdom_ro_home_role',`
>   #
>   interface(`userdom_manage_home_role',`
>   	gen_require(`
> +		attribute user_home_type;
>   		type user_home_t, user_home_dir_t;
>   	')
>
> -	role $1 types { user_home_t user_home_dir_t };
> +	role $1 types { user_home_type user_home_dir_t };

Also, this is wrong.  I have removed this and other lines like it in 
userdomain.if.

>   	##############################
>   	#
> @@ -233,16 +235,16 @@ interface(`userdom_manage_home_role',`
>
>   	# full control of the home directory
>   	allow $2 user_home_t:file entrypoint;
> -	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> -	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
> +	manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
> +	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
>   	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
>   	files_list_home($2)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com