From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 05 Sep 2012 01:45:01 +0200 Subject: [refpolicy] [PATCH 2/3] user access to DOS files In-Reply-To: <1346793669-26282-2-git-send-email-bigon@debian.org> References: <1346793669-26282-1-git-send-email-bigon@debian.org> <1346793669-26282-2-git-send-email-bigon@debian.org> Message-ID: <5046927D.8010809@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/09/2012 23:21, Laurent Bigonville wrote: > From: Mika Pfl?ger > > Add a new boolean to grant users access to dosfs_t. > --- > policy/global_tunables | 7 +++++++ > policy/modules/system/userdomain.if | 6 ++++++ > 2 files changed, 13 insertions(+) > > diff --git a/policy/global_tunables b/policy/global_tunables > index 4705ab6..43cc19a 100644 > --- a/policy/global_tunables > +++ b/policy/global_tunables > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) > ##

> ## > gen_tunable(user_tcp_server,false) > + > +## > +##

> +## Allow users to manage files on dosfs_t devices, usually removable media > +##

> +##
> +gen_tunable(user_manage_dos_files,true) In my opinion is good to have this as on option, but in a secure environment the default should be false for removable media. > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index e720dcd..0c96b65 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` > # Allow making the stack executable via mprotect. > allow $1_t self:process execstack; > ') > + > + tunable_policy(`user_manage_dos_files',` > + fs_manage_dos_dirs($1_t) > + fs_manage_dos_files($1_t) > + ') > + > ') > > ####################################### > Regards, Guido