From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 17 Sep 2010 08:34:06 -0400 Subject: [refpolicy] [alsa patch (RETRY) 1/1] Common confined users can manage and relabel alsa home files. In-Reply-To: <4C923298.9090406@redhat.com> References: <20100916124925.GA5924@localhost.localdomain> <4C923298.9090406@redhat.com> Message-ID: <4C93603E.2070804@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/16/10 11:07, Daniel J Walsh wrote: > On 09/16/2010 08:49 AM, Dominick Grift wrote: >> Unconditional. >> >> Signed-off-by: Dominick Grift >> --- >> :100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if >> :100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te >> :100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te >> :100644 100644 9b55b00... 763edf3... M policy/modules/roles/unprivuser.te >> policy/modules/admin/alsa.if | 38 ++++++++++++++++++++++++++++++++++++ >> policy/modules/roles/staff.te | 5 ++++ >> policy/modules/roles/sysadm.te | 5 ++++ >> policy/modules/roles/unprivuser.te | 5 ++++ >> 4 files changed, 53 insertions(+), 0 deletions(-) >> >> diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if >> index 69aa742..978edf4 100644 >> --- a/policy/modules/admin/alsa.if >> +++ b/policy/modules/admin/alsa.if >> @@ -126,6 +126,44 @@ interface(`alsa_read_home_files',` >> >> ######################################## >> ## >> +## Relabel alsa home files. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`alsa_relabel_home_files',` >> + gen_require(` >> + type alsa_home_t; >> + ') >> + >> + userdom_search_user_home_dirs($1) >> + allow $1 alsa_home_t:file relabel_file_perms; >> +') >> + >> +######################################## >> +## >> +## Manage alsa home files. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`alsa_manage_home_files',` >> + gen_require(` >> + type alsa_home_t; >> + ') >> + >> + userdom_search_user_home_dirs($1) >> + allow $1 alsa_home_t:file manage_file_perms; >> +') >> + >> +######################################## >> +## >> ## Read Alsa lib files. >> ## >> ## >> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te >> index 1854002..cfc307b 100644 >> --- a/policy/modules/roles/staff.te >> +++ b/policy/modules/roles/staff.te >> @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff) >> # >> >> optional_policy(` >> + alsa_manage_home_files(staff_t) >> + alsa_relabel_home_files(staff_t) >> +') >> + >> +optional_policy(` >> apache_role(staff_r, staff_t) >> ') >> >> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te >> index 2a19751..c81e389 100644 >> --- a/policy/modules/roles/sysadm.te >> +++ b/policy/modules/roles/sysadm.te >> @@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',` >> ') >> >> optional_policy(` >> + alsa_manage_home_files(sysadm_t) >> + alsa_relabel_home_files(sysadm_t) >> +') >> + >> +optional_policy(` >> amanda_run_recover(sysadm_t, sysadm_r) >> ') >> >> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te >> index 9b55b00..763edf3 100644 >> --- a/policy/modules/roles/unprivuser.te >> +++ b/policy/modules/roles/unprivuser.te >> @@ -13,6 +13,11 @@ role user_r; >> userdom_unpriv_user_template(user) >> >> optional_policy(` >> + alsa_manage_home_files(user_t) >> + alsa_relabel_home_files(user_t) >> +') > > Wouldn't it be better to put these in> userdom_unpriv_user_template If you wanted to cover all three roles, userdom_common_user_template() would be the one to use. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com