From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 3 Jan 2013 10:08:24 -0500 Subject: [refpolicy] [PATCH 7/8] Introduce rw_inherited_file_perms definition In-Reply-To: <1355737370-27628-8-git-send-email-sven.vermeulen@siphos.be> References: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be> <1355737370-27628-8-git-send-email-sven.vermeulen@siphos.be> Message-ID: <50E59EE8.1000803@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/17/12 04:42, Sven Vermeulen wrote: > In many cases throughout the policy, domains require read/write privileges on > inherited descriptors. In most cases, these are for files, where the domain > needs the read-write permissions but of course no open privilege. > > Instead of having to hard-code the permissions every time, this patch introduces > the rw_inherited_file_perms to support simple calls for these inherited > descriptors. > > Signed-off-by: Sven Vermeulen > --- > policy/support/obj_perm_sets.spt | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt > index 6e91317..48f0c7a 100644 > --- a/policy/support/obj_perm_sets.spt > +++ b/policy/support/obj_perm_sets.spt > @@ -158,7 +158,8 @@ define(`mmap_file_perms',`{ getattr open read execute ioctl }') > define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') > define(`append_file_perms',`{ getattr open append lock ioctl }') > define(`write_file_perms',`{ getattr open write append lock ioctl }') > -define(`rw_file_perms',`{ getattr open read write append ioctl lock }') > +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') > +define(`rw_file_perms',`{ rw_inherited_file_perms open }') > define(`create_file_perms',`{ getattr create open }') > define(`rename_file_perms',`{ getattr rename }') > define(`delete_file_perms',`{ getattr unlink }')> Since the tide seems to be going against me on these inherited permissions, I can accept it, but the change needs to be done for all of the relevant file classes. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com