From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 09 Sep 2010 14:13:26 -0400 Subject: [refpolicy] [alsa patch 1/1] Interaction with alsa home content by confined users. In-Reply-To: <20100909151057.GE16089@localhost.localdomain> References: <20100908104106.GA31213@localhost.localdomain> <4C88D931.2010807@tresys.com> <20100909125752.GD16089@localhost.localdomain> <4C88E5AF.8050508@redhat.com> <4C88F63D.2060608@tresys.com> <20100909151057.GE16089@localhost.localdomain> Message-ID: <4C8923C6.7000904@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/09/2010 11:10 AM, Dominick Grift wrote: > On Thu, Sep 09, 2010 at 10:59:09AM -0400, Christopher J. PeBenito wrote: >> On 09/09/10 09:48, Daniel J Walsh wrote: >>> On 09/09/2010 08:57 AM, Dominick Grift wrote: >>>> On Thu, Sep 09, 2010 at 08:55:13AM -0400, Christopher J. PeBenito wrote: >>>>> On 09/08/10 06:41, Dominick Grift wrote: >>>>>> Confined users can manage and relabel alsa home files. >>>>>> >>>>>> Plus some cleanups inspired by example policy. >>>>>> >>>>>> Signed-off-by: Dominick Grift >>>>>> --- >>>>> [...] >>>>>> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te >>>>>> index 0c9876c..f9c23ed 100644 >>>>>> --- a/policy/modules/roles/staff.te >>>>>> +++ b/policy/modules/roles/staff.te >>>>>> @@ -53,6 +53,11 @@ optional_policy(` >>>>>> >>>>>> ifndef(`distro_redhat',` >>>>>> optional_policy(` >>>>>> + alsa_manage_home_files(staff_t) >>>>>> + alsa_relabel_home_files(staff_t) >>>>>> + ') >>>>> >>>>> Is there a reason why this needs to be excluded on redhat systems? >>>> >>>> Yes confined users can manage and relabel all userdom_user_home_content by default (so its redundant) >>> I would rather this not be there, to stop the type of question that >>> Chris asked. Redundancy is not a problem. >> >> I agree. While I try to remove redundancy, in this case, not having >> it invites questions, since it stands out (conditional rules tend to >> draw attention). > > Let me throw in the consistency argument here: > > if you look in staff.te you will notice that: > > optional_policy(` > oident_manage_user_content(staff_t) > oident_relabel_user_content(staff_t) > ') > > is also in the ifndef distro_redhat block. This is exactly the same issue. > So why would alsa not be in there and oident be in there > > Also i could put your questions the other way, i would instead ask why this policy is duplicate. > Its not the conditional block perse that raises questions, its the fact that refpolicy and fedora both use different policy. > Thats in my view the core issue. > > > >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> www.tresys.com | oss.tresys.com >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy That being exclueded in staff_t is a mistake. I just want to eliminate all default role transitions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyJI8UACgkQrlYvE4MpobOuQgCfZo/ungE9rKZR96ED1H6GQjSo vjwAoOuEvGziYiNwXTvTRaEp1C5SDJxo =oG+/ -----END PGP SIGNATURE-----