From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 5 Sep 2012 13:58:14 -0400 Subject: [refpolicy] [PATCH v2 2/3] user access to DOS filesystems In-Reply-To: <1346860228-12760-1-git-send-email-bigon@debian.org> References: <1346828428.15262.53.camel@d30.localdomain> <1346860228-12760-1-git-send-email-bigon@debian.org> Message-ID: <504792B6.2050606@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/05/12 11:50, Laurent Bigonville wrote: > From: Mika Pfl??ger > > Add a new boolean to grant users access to dosfs_t. > --- > policy/global_tunables | 7 +++++++ > policy/modules/system/userdomain.if | 6 ++++++ > 2 files changed, 13 insertions(+) > > diff --git a/policy/global_tunables b/policy/global_tunables > index 4705ab6..092df0b 100644 > --- a/policy/global_tunables > +++ b/policy/global_tunables > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) > ##

> ## > gen_tunable(user_tcp_server,false) > + > +## > +##

> +## Determine whether users can manage dosfs content. > +##

> +## > +gen_tunable(userdomain_manage_dos_content,false) This should be moved to the userdomain module, as its effect is only in that module. Global tunables should only be used if the tunable is used in multiple modules. > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index e720dcd..949c738 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` > # Allow making the stack executable via mprotect. > allow $1_t self:process execstack; > ') > + > + tunable_policy(`userdomain_manage_dos_content',` > + fs_manage_dos_dirs($1_t) > + fs_manage_dos_files($1_t) > + ') > + This is too low level of a template for this access. It should be moved to a higher level template such as userdom_common_user_template. userdom_base_user_template is supposed to define the most minimal user. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com