From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 06 Sep 2012 19:05:37 +0200 Subject: [refpolicy] [PATCH 2/3] user access to DOS files In-Reply-To: <5048CFD9.2080408@trentalancia.com> References: <1346793669-26282-1-git-send-email-bigon@debian.org> <1346793669-26282-2-git-send-email-bigon@debian.org> <20120906162401.79ccd07b@eldamar.bigon.be> <5048CFD9.2080408@trentalancia.com> Message-ID: <5048D7E1.3080200@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/09/2012 18:31, Guido Trentalancia wrote: > On 06/09/2012 16:24, Laurent Bigonville wrote: >> Le Tue, 4 Sep 2012 23:21:08 +0200, >> Laurent Bigonville a ?crit : >> >>> + tunable_policy(`user_manage_dos_files',` >>> + fs_manage_dos_dirs($1_t) >>> + fs_manage_dos_files($1_t) >>> + ') >>> + >>> ') >> >> I was reading the code further and isn't the proposed patch actually >> redundant with user_rw_noexattrfile? >> >> tunable_policy(`user_rw_noexattrfile',` >> fs_manage_noxattr_fs_files($1_t) >> fs_manage_noxattr_fs_dirs($1_t) >> ',` >> fs_read_noxattr_fs_files($1_t) >> ') >> >> So shouldn't the proposed patch simply be dropped? > > Fortunately, it has not been applied, I think. And if it causes problems > and degradation of current policy, as you now recognize, why did you > post it in the first place then ? If you want to have some fun with filesystem-related things, then a very light supplemental patch might be needed for latest versions of the ntfs-3g project, as far as I remember from testing. It would need to have FUSE support, but optionalized (through good use of tunable policy which means do not allow by default the loading of fuse.ko kernel module and a few other related permissions that are only needed in FUSE supporting versions).