From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 07 Aug 2012 21:48:08 +0200
Subject: [refpolicy] [PATCH] oidentd fixes
In-Reply-To: <1344365757-12896-1-git-send-email-dominick.grift@gmail.com>
References: <1344365757-12896-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <502170F8.1050400@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/08/2012 20:55, Dominick Grift wrote:
>
> oident init script in debian is in /etc/init.d
> ~/.oidentd.conf is a single file
> remove oidentd_read_user_content because interfaces aren' for internal
> usage
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/oident.fc b/oident.fc
> index 5840ea8..5a99b3d 100644
> --- a/oident.fc
> +++ b/oident.fc
> @@ -1,8 +1,9 @@
> -HOME_DIR/\.oidentd.conf			gen_context(system_u:object_r:oidentd_home_t, s0)
> +HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
>
>   /etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
>   /etc/oidentd_masq\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
>
>   /etc/rc\.d/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
> +/etc/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)

Why don't you use ifdef distro here ? And perhaps you might want to 
align it further right, as it would be easier to read.

Also, does anybody know whether a complete and always updated list of 
files for each distribution is available ? That would make the job of 
creating file context specifications much easier...

>   /usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
> diff --git a/oident.if b/oident.if
> index bb4fae5..bfdcce2 100644
> --- a/oident.if
> +++ b/oident.if
> @@ -9,26 +9,6 @@
>
>   ########################################
>   ## <summary>
> -##	Allow the specified domain to read
> -##	Oidentd personal configuration files.
> -## </summary>
> -## <param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -## </param>
> -#
> -interface(`oident_read_user_content', `
> -	gen_require(`
> -		type oidentd_home_t;
> -	')
> -
> -	allow $1 oidentd_home_t:file read_file_perms;
> -	userdom_search_user_home_dirs($1)
> -')
> -
> -########################################
> -## <summary>
>   ##	Allow the specified domain to create, read, write, and delete
>   ##	Oidentd personal configuration files.
>   ## </summary>
> diff --git a/oident.te b/oident.te
> index 8845174..6e5be53 100644
> --- a/oident.te
> +++ b/oident.te
> @@ -34,6 +34,8 @@
>
>   allow oidentd_t oidentd_config_t:file read_file_perms;
>
> +allow oidentd_t oidentd_home_t:file read_file_perms;
> +
>   corenet_all_recvfrom_unlabeled(oidentd_t)
>   corenet_all_recvfrom_netlabel(oidentd_t)
>   corenet_tcp_sendrecv_generic_if(oidentd_t)
> @@ -58,7 +60,7 @@
>
>   sysnet_read_config(oidentd_t)
>
> -oident_read_user_content(oidentd_t)
> +userdom_search_user_home_dirs(oidentd_t)
>
>   optional_policy(`
>   	nis_use_ypbind(oidentd_t)

Seems alright, although I am not using this.

Regards,

Guido