From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 07 Aug 2012 21:48:08 +0200 Subject: [refpolicy] [PATCH] oidentd fixes In-Reply-To: <1344365757-12896-1-git-send-email-dominick.grift@gmail.com> References: <1344365757-12896-1-git-send-email-dominick.grift@gmail.com> Message-ID: <502170F8.1050400@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/08/2012 20:55, Dominick Grift wrote: > > oident init script in debian is in /etc/init.d > ~/.oidentd.conf is a single file > remove oidentd_read_user_content because interfaces aren' for internal > usage > > Signed-off-by: Dominick Grift > diff --git a/oident.fc b/oident.fc > index 5840ea8..5a99b3d 100644 > --- a/oident.fc > +++ b/oident.fc > @@ -1,8 +1,9 @@ > -HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0) > +HOME_DIR/\.oidentd.conf -- gen_context(system_u:object_r:oidentd_home_t, s0) > > /etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) > /etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) > > /etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) > +/etc/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) Why don't you use ifdef distro here ? And perhaps you might want to align it further right, as it would be easier to read. Also, does anybody know whether a complete and always updated list of files for each distribution is available ? That would make the job of creating file context specifications much easier... > /usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) > diff --git a/oident.if b/oident.if > index bb4fae5..bfdcce2 100644 > --- a/oident.if > +++ b/oident.if > @@ -9,26 +9,6 @@ > > ######################################## > ## > -## Allow the specified domain to read > -## Oidentd personal configuration files. > -## > -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`oident_read_user_content', ` > - gen_require(` > - type oidentd_home_t; > - ') > - > - allow $1 oidentd_home_t:file read_file_perms; > - userdom_search_user_home_dirs($1) > -') > - > -######################################## > -## > ## Allow the specified domain to create, read, write, and delete > ## Oidentd personal configuration files. > ## > diff --git a/oident.te b/oident.te > index 8845174..6e5be53 100644 > --- a/oident.te > +++ b/oident.te > @@ -34,6 +34,8 @@ > > allow oidentd_t oidentd_config_t:file read_file_perms; > > +allow oidentd_t oidentd_home_t:file read_file_perms; > + > corenet_all_recvfrom_unlabeled(oidentd_t) > corenet_all_recvfrom_netlabel(oidentd_t) > corenet_tcp_sendrecv_generic_if(oidentd_t) > @@ -58,7 +60,7 @@ > > sysnet_read_config(oidentd_t) > > -oident_read_user_content(oidentd_t) > +userdom_search_user_home_dirs(oidentd_t) > > optional_policy(` > nis_use_ypbind(oidentd_t) Seems alright, although I am not using this. Regards, Guido