From: bigon@debian.org (Laurent Bigonville)
Date: Tue,  4 Sep 2012 23:21:08 +0200
Subject: [refpolicy] [PATCH 2/3] user access to DOS files
In-Reply-To: <1346793669-26282-1-git-send-email-bigon@debian.org>
References: <1346793669-26282-1-git-send-email-bigon@debian.org>
Message-ID: <1346793669-26282-2-git-send-email-bigon@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Mika Pfl?ger <debian@mikapflueger.de>

Add a new boolean to grant users access to dosfs_t.
---
 policy/global_tunables              |    7 +++++++
 policy/modules/system/userdomain.if |    6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..43cc19a 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to manage files on dosfs_t devices, usually removable media
+## </p>
+## </desc>
+gen_tunable(user_manage_dos_files,true)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e720dcd..0c96b65 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	tunable_policy(`user_manage_dos_files',`
+		fs_manage_dos_dirs($1_t)
+		fs_manage_dos_files($1_t)
+	')
+
 ')
 
 #######################################
-- 
1.7.10.4