From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 09 Sep 2010 10:59:09 -0400 Subject: [refpolicy] [alsa patch 1/1] Interaction with alsa home content by confined users. In-Reply-To: <4C88E5AF.8050508@redhat.com> References: <20100908104106.GA31213@localhost.localdomain> <4C88D931.2010807@tresys.com> <20100909125752.GD16089@localhost.localdomain> <4C88E5AF.8050508@redhat.com> Message-ID: <4C88F63D.2060608@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/09/10 09:48, Daniel J Walsh wrote: > On 09/09/2010 08:57 AM, Dominick Grift wrote: >> On Thu, Sep 09, 2010 at 08:55:13AM -0400, Christopher J. PeBenito wrote: >>> On 09/08/10 06:41, Dominick Grift wrote: >>>> Confined users can manage and relabel alsa home files. >>>> >>>> Plus some cleanups inspired by example policy. >>>> >>>> Signed-off-by: Dominick Grift >>>> --- >>> [...] >>>> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te >>>> index 0c9876c..f9c23ed 100644 >>>> --- a/policy/modules/roles/staff.te >>>> +++ b/policy/modules/roles/staff.te >>>> @@ -53,6 +53,11 @@ optional_policy(` >>>> >>>> ifndef(`distro_redhat',` >>>> optional_policy(` >>>> + alsa_manage_home_files(staff_t) >>>> + alsa_relabel_home_files(staff_t) >>>> + ') >>> >>> Is there a reason why this needs to be excluded on redhat systems? >> >> Yes confined users can manage and relabel all userdom_user_home_content by default (so its redundant) > I would rather this not be there, to stop the type of question that > Chris asked. Redundancy is not a problem. I agree. While I try to remove redundancy, in this case, not having it invites questions, since it stands out (conditional rules tend to draw attention). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com