From: jason@perfinion.com (Jason Zaman)
Date: Thu, 24 Jul 2014 13:00:02 +0400
Subject: [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
In-Reply-To: <53D0C553.30500@redhat.com>
References: <1406147491-24852-1-git-send-email-jason@perfinion.com>
	<53D0C553.30500@redhat.com>
Message-ID: <20140724090002.GA9783@pippin.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Jul 24, 2014 at 10:35:31AM +0200, Miroslav Grepl wrote:
> On 07/23/2014 10:31 PM, Jason Zaman wrote:
> > gssd needs to be able to add entries to the kerberos credential
> > cache. This adds a boolean to allow that.
> > ---
> >   rpc.te | 13 +++++++++++++
> >   1 file changed, 13 insertions(+)
> >
> > diff --git a/rpc.te b/rpc.te
> > index 1a6dcc0..f2e44d5 100644
> > --- a/rpc.te
> > +++ b/rpc.te
> > @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
> >   
> >   ## <desc>
> >   ##	<p>
> > +##	Determine whether gssd can write
> > +##	generic user temporary content.
> > +##	</p>
> > +## </desc>
> > +gen_tunable(allow_gssd_write_tmp, false)
> > +
> > +## <desc>
> > +##	<p>
> >   ##	Determine whether nfs can modify
> >   ##	public files used for public file
> >   ##	transfer services. Directories/Files must
> > @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
> >   	userdom_read_user_tmp_symlinks(gssd_t)
> >   ')
> >   
> > +tunable_policy(`allow_gssd_write_tmp',`
> > +	userdom_list_user_tmp(gssd_t)
> > +	userdom_write_user_tmp_files(gssd_t)
> > +')
> > +
> >   optional_policy(`
> >   	automount_signal(gssd_t)
> >   ')
> We probably want to think about better boolean name for this one. Maybe
> 
> gssd_write_user_tmp_files

That does sound better yes. I was basing it off the already existing
read boolean. The original read one should be renamed too then probably.
In that case, do these sound better?

gssd_write_user_tmp_files
gssd_read_user_tmp_files

I can send a patch that renames the read one and adds the new write bool.