From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 7 Aug 2012 20:55:57 +0200 Subject: [refpolicy] [PATCH] oidentd fixes Message-ID: <1344365757-12896-1-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com oident init script in debian is in /etc/init.d ~/.oidentd.conf is a single file remove oidentd_read_user_content because interfaces aren' for internal usage Signed-off-by: Dominick Grift diff --git a/oident.fc b/oident.fc index 5840ea8..5a99b3d 100644 --- a/oident.fc +++ b/oident.fc @@ -1,8 +1,9 @@ -HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0) +HOME_DIR/\.oidentd.conf -- gen_context(system_u:object_r:oidentd_home_t, s0) /etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) /etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) /etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) +/etc/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) /usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) diff --git a/oident.if b/oident.if index bb4fae5..bfdcce2 100644 --- a/oident.if +++ b/oident.if @@ -9,26 +9,6 @@ ######################################## ## -## Allow the specified domain to read -## Oidentd personal configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`oident_read_user_content', ` - gen_require(` - type oidentd_home_t; - ') - - allow $1 oidentd_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## ## Allow the specified domain to create, read, write, and delete ## Oidentd personal configuration files. ## diff --git a/oident.te b/oident.te index 8845174..6e5be53 100644 --- a/oident.te +++ b/oident.te @@ -34,6 +34,8 @@ allow oidentd_t oidentd_config_t:file read_file_perms; +allow oidentd_t oidentd_home_t:file read_file_perms; + corenet_all_recvfrom_unlabeled(oidentd_t) corenet_all_recvfrom_netlabel(oidentd_t) corenet_tcp_sendrecv_generic_if(oidentd_t) @@ -58,7 +60,7 @@ sysnet_read_config(oidentd_t) -oident_read_user_content(oidentd_t) +userdom_search_user_home_dirs(oidentd_t) optional_policy(` nis_use_ypbind(oidentd_t)