From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 16 Sep 2010 11:07:04 -0400 Subject: [refpolicy] [alsa patch (RETRY) 1/1] Common confined users can manage and relabel alsa home files. In-Reply-To: <20100916124925.GA5924@localhost.localdomain> References: <20100916124925.GA5924@localhost.localdomain> Message-ID: <4C923298.9090406@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/16/2010 08:49 AM, Dominick Grift wrote: > Unconditional. > > Signed-off-by: Dominick Grift > --- > :100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if > :100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te > :100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te > :100644 100644 9b55b00... 763edf3... M policy/modules/roles/unprivuser.te > policy/modules/admin/alsa.if | 38 ++++++++++++++++++++++++++++++++++++ > policy/modules/roles/staff.te | 5 ++++ > policy/modules/roles/sysadm.te | 5 ++++ > policy/modules/roles/unprivuser.te | 5 ++++ > 4 files changed, 53 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if > index 69aa742..978edf4 100644 > --- a/policy/modules/admin/alsa.if > +++ b/policy/modules/admin/alsa.if > @@ -126,6 +126,44 @@ interface(`alsa_read_home_files',` > > ######################################## > ## > +## Relabel alsa home files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`alsa_relabel_home_files',` > + gen_require(` > + type alsa_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + allow $1 alsa_home_t:file relabel_file_perms; > +') > + > +######################################## > +## > +## Manage alsa home files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`alsa_manage_home_files',` > + gen_require(` > + type alsa_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + allow $1 alsa_home_t:file manage_file_perms; > +') > + > +######################################## > +## > ## Read Alsa lib files. > ## > ## > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > index 1854002..cfc307b 100644 > --- a/policy/modules/roles/staff.te > +++ b/policy/modules/roles/staff.te > @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff) > # > > optional_policy(` > + alsa_manage_home_files(staff_t) > + alsa_relabel_home_files(staff_t) > +') > + > +optional_policy(` > apache_role(staff_r, staff_t) > ') > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 2a19751..c81e389 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',` > ') > > optional_policy(` > + alsa_manage_home_files(sysadm_t) > + alsa_relabel_home_files(sysadm_t) > +') > + > +optional_policy(` > amanda_run_recover(sysadm_t, sysadm_r) > ') > > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > index 9b55b00..763edf3 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -13,6 +13,11 @@ role user_r; > userdom_unpriv_user_template(user) > > optional_policy(` > + alsa_manage_home_files(user_t) > + alsa_relabel_home_files(user_t) > +') Wouldn't it be better to put these in> userdom_unpriv_user_template > + > +optional_policy(` > apache_role(user_r, user_t) > ') > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkySMpcACgkQrlYvE4MpobNwygCgwNmlYmL9F01k3suhhLskW0Oo Rg0AoKO+IkaoexK30IewWYq7n8/oUOaz =cxqk -----END PGP SIGNATURE-----