From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 17 Sep 2010 09:08:58 -0400 Subject: [refpolicy] [alsa patch (RETRY) 1/1] Common confined users can manage and relabel alsa home files. In-Reply-To: <4C93603E.2070804@tresys.com> References: <20100916124925.GA5924@localhost.localdomain> <4C923298.9090406@redhat.com> <4C93603E.2070804@tresys.com> Message-ID: <4C93686A.5060507@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/17/2010 08:34 AM, Christopher J. PeBenito wrote: > On 09/16/10 11:07, Daniel J Walsh wrote: >> On 09/16/2010 08:49 AM, Dominick Grift wrote: >>> Unconditional. >>> >>> Signed-off-by: Dominick Grift >>> --- >>> :100644 100644 69aa742... 978edf4... M policy/modules/admin/alsa.if >>> :100644 100644 1854002... cfc307b... M policy/modules/roles/staff.te >>> :100644 100644 2a19751... c81e389... M policy/modules/roles/sysadm.te >>> :100644 100644 9b55b00... 763edf3... M >>> policy/modules/roles/unprivuser.te >>> policy/modules/admin/alsa.if | 38 >>> ++++++++++++++++++++++++++++++++++++ >>> policy/modules/roles/staff.te | 5 ++++ >>> policy/modules/roles/sysadm.te | 5 ++++ >>> policy/modules/roles/unprivuser.te | 5 ++++ >>> 4 files changed, 53 insertions(+), 0 deletions(-) >>> >>> diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if >>> index 69aa742..978edf4 100644 >>> --- a/policy/modules/admin/alsa.if >>> +++ b/policy/modules/admin/alsa.if >>> @@ -126,6 +126,44 @@ interface(`alsa_read_home_files',` >>> >>> ######################################## >>> ## >>> +## Relabel alsa home files. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +# >>> +interface(`alsa_relabel_home_files',` >>> + gen_require(` >>> + type alsa_home_t; >>> + ') >>> + >>> + userdom_search_user_home_dirs($1) >>> + allow $1 alsa_home_t:file relabel_file_perms; >>> +') >>> + >>> +######################################## >>> +## >>> +## Manage alsa home files. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +# >>> +interface(`alsa_manage_home_files',` >>> + gen_require(` >>> + type alsa_home_t; >>> + ') >>> + >>> + userdom_search_user_home_dirs($1) >>> + allow $1 alsa_home_t:file manage_file_perms; >>> +') >>> + >>> +######################################## >>> +## >>> ## Read Alsa lib files. >>> ## >>> ## >>> diff --git a/policy/modules/roles/staff.te >>> b/policy/modules/roles/staff.te >>> index 1854002..cfc307b 100644 >>> --- a/policy/modules/roles/staff.te >>> +++ b/policy/modules/roles/staff.te >>> @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff) >>> # >>> >>> optional_policy(` >>> + alsa_manage_home_files(staff_t) >>> + alsa_relabel_home_files(staff_t) >>> +') >>> + >>> +optional_policy(` >>> apache_role(staff_r, staff_t) >>> ') >>> >>> diff --git a/policy/modules/roles/sysadm.te >>> b/policy/modules/roles/sysadm.te >>> index 2a19751..c81e389 100644 >>> --- a/policy/modules/roles/sysadm.te >>> +++ b/policy/modules/roles/sysadm.te >>> @@ -62,6 +62,11 @@ tunable_policy(`allow_ptrace',` >>> ') >>> >>> optional_policy(` >>> + alsa_manage_home_files(sysadm_t) >>> + alsa_relabel_home_files(sysadm_t) >>> +') >>> + >>> +optional_policy(` >>> amanda_run_recover(sysadm_t, sysadm_r) >>> ') >>> >>> diff --git a/policy/modules/roles/unprivuser.te >>> b/policy/modules/roles/unprivuser.te >>> index 9b55b00..763edf3 100644 >>> --- a/policy/modules/roles/unprivuser.te >>> +++ b/policy/modules/roles/unprivuser.te >>> @@ -13,6 +13,11 @@ role user_r; >>> userdom_unpriv_user_template(user) >>> >>> optional_policy(` >>> + alsa_manage_home_files(user_t) >>> + alsa_relabel_home_files(user_t) >>> +') >> >> Wouldn't it be better to put these in> userdom_unpriv_user_template > > If you wanted to cover all three roles, userdom_common_user_template() > would be the one to use. > I believe sysadm_t can already do this anyways. But I don't like sysadm_t being used as a standard login domain. I guess I don't like it at all... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyTaGoACgkQrlYvE4MpobNC5gCgjwqk+Fo1M+rFHhoELLze2XuM cIUAoOYHK594t0wmudQJIlLOLr2fAbVj =upHg -----END PGP SIGNATURE-----