From: mgrepl@redhat.com (Miroslav Grepl)
Date: Thu, 24 Jul 2014 10:35:31 +0200
Subject: [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
In-Reply-To: <1406147491-24852-1-git-send-email-jason@perfinion.com>
References: <1406147491-24852-1-git-send-email-jason@perfinion.com>
Message-ID: <53D0C553.30500@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/23/2014 10:31 PM, Jason Zaman wrote:
> gssd needs to be able to add entries to the kerberos credential
> cache. This adds a boolean to allow that.
> ---
>   rpc.te | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
>
> diff --git a/rpc.te b/rpc.te
> index 1a6dcc0..f2e44d5 100644
> --- a/rpc.te
> +++ b/rpc.te
> @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
>   
>   ## <desc>
>   ##	<p>
> +##	Determine whether gssd can write
> +##	generic user temporary content.
> +##	</p>
> +## </desc>
> +gen_tunable(allow_gssd_write_tmp, false)
> +
> +## <desc>
> +##	<p>
>   ##	Determine whether nfs can modify
>   ##	public files used for public file
>   ##	transfer services. Directories/Files must
> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
>   	userdom_read_user_tmp_symlinks(gssd_t)
>   ')
>   
> +tunable_policy(`allow_gssd_write_tmp',`
> +	userdom_list_user_tmp(gssd_t)
> +	userdom_write_user_tmp_files(gssd_t)
> +')
> +
>   optional_policy(`
>   	automount_signal(gssd_t)
>   ')
We probably want to think about better boolean name for this one. Maybe

gssd_write_user_tmp_files