From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 19 Oct 2012 15:37:05 +0200 Subject: [refpolicy] [PATCH] Changes to the user domain policy module In-Reply-To: <50815438.5030306@tresys.com> References: <1350583695-21075-1-git-send-email-dominick.grift@gmail.com> <50815438.5030306@tresys.com> Message-ID: <1350653825.12496.20.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2012-10-19 at 09:23 -0400, Christopher J. PeBenito wrote: > On 10/18/12 14:08, Dominick Grift wrote: > > > > Content that (at least) common users need to be able to relabel and > > create with a type transition > > > > Signed-off-by: Dominick Grift > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > > index 9d447a2..bcffe18 100644 > > --- a/policy/modules/system/userdomain.if > > +++ b/policy/modules/system/userdomain.if > > @@ -575,6 +575,7 @@ > > ') > > > > optional_policy(` > > + alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") > > alsa_manage_home_files($1_t) > > alsa_read_rw_config($1_t) > > alsa_relabel_home_files($1_t) > > @@ -629,7 +630,18 @@ > > ') > > > > optional_policy(` > > + kerberos_manage_krb5_home_files($1_t) > > + kerberos_relabel_krb5_home_files($1_t) > > + kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") > > + ') > > + > > + optional_policy(` > > locate_read_lib_files($1_t) > > + ') > > + > > + optional_policy(` > > + mpd_manage_user_data_content($1_t) > > + mpd_relabel_user_data_content($1_t) > > ') > > > > # for running depmod as part of the kernel packaging process > > @@ -645,11 +657,16 @@ > > tunable_policy(`allow_user_mysql_connect',` > > mysql_stream_connect($1_t) > > ') > > + > > + mysql_manage_mysqld_home_files($1_t) > > + mysql_relabel_mysqld_home_files($1_t) > > + mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") > > ') > > > > optional_policy(` > > oident_manage_user_content($1_t) > > oident_relabel_user_content($1_t) > > + oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf") > > ') > > > > optional_policy(` > > @@ -670,6 +687,12 @@ > > ') > > > > optional_policy(` > > + ppp_manage_home_files($1_t) > > + ppp_relabel_home_files($1_t) > > + ppp_home_filetrans_ppp_home($1_t, file, ".ppprc") > > + ') > > + > > + optional_policy(` > > I don't have a problem with the transitions, but I have to think about if it makes sense to abstract away the names inside the interface (i.e. hardcode them) since those details likely belong in the respective modules. > What is the use of that? that only takes away flexibility.