From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 25 Jul 2014 08:19:16 -0400
Subject: [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
In-Reply-To: <1406147491-24852-1-git-send-email-jason@perfinion.com>
References: <1406147491-24852-1-git-send-email-jason@perfinion.com>
Message-ID: <53D24B44.30909@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 7/23/2014 4:31 PM, Jason Zaman wrote:
> gssd needs to be able to add entries to the kerberos credential
> cache. This adds a boolean to allow that.
[...]
> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
>  	userdom_read_user_tmp_symlinks(gssd_t)
>  ')
>  
> +tunable_policy(`allow_gssd_write_tmp',`
> +	userdom_list_user_tmp(gssd_t)
> +	userdom_write_user_tmp_files(gssd_t)
> +')
> +

Are you sure that these credential caches can't have more specific
labels, e.g. by name filetrans?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com