From: domg472@gmail.com (Dominick Grift)
Date: Thu, 16 Sep 2010 14:49:29 +0200
Subject: [refpolicy] [alsa patch (RETRY) 1/1] Common confined users can
 manage and relabel alsa home files.
Message-ID: <20100916124925.GA5924@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Unconditional.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 69aa742... 978edf4... M	policy/modules/admin/alsa.if
:100644 100644 1854002... cfc307b... M	policy/modules/roles/staff.te
:100644 100644 2a19751... c81e389... M	policy/modules/roles/sysadm.te
:100644 100644 9b55b00... 763edf3... M	policy/modules/roles/unprivuser.te
 policy/modules/admin/alsa.if       |   38 ++++++++++++++++++++++++++++++++++++
 policy/modules/roles/staff.te      |    5 ++++
 policy/modules/roles/sysadm.te     |    5 ++++
 policy/modules/roles/unprivuser.te |    5 ++++
 4 files changed, 53 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 69aa742..978edf4 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -126,6 +126,44 @@ interface(`alsa_read_home_files',`
 
 ########################################
 ## <summary>
+##	Relabel alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_relabel_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read Alsa lib files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 1854002..cfc307b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
 #
 
 optional_policy(`
+	alsa_manage_home_files(staff_t)
+	alsa_relabel_home_files(staff_t)
+')
+
+optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751..c81e389 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',`
 ')
 
 optional_policy(`
+	alsa_manage_home_files(sysadm_t)
+	alsa_relabel_home_files(sysadm_t)
+')
+
+optional_policy(`
 	amanda_run_recover(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 9b55b00..763edf3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -13,6 +13,11 @@ role user_r;
 userdom_unpriv_user_template(user)
 
 optional_policy(`
+	alsa_manage_home_files(user_t)
+	alsa_relabel_home_files(user_t)
+')
+
+optional_policy(`
 	apache_role(user_r, user_t)
 ')
 
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100916/49caea52/attachment.bin