From: jason@perfinion.com (Jason Zaman)
Date: Wed, 25 Mar 2015 10:24:43 +0800
Subject: [refpolicy] [PATCH 3/6] rpc: introduce allow_gssd_write_tmp boolean
In-Reply-To: <1427250286-27053-1-git-send-email-jason@perfinion.com>
References: <1427250286-27053-1-git-send-email-jason@perfinion.com>
Message-ID: <1427250286-27053-3-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp

type=AVC msg=audit(1427206305.314:9914): avc:  granted  { read write
open } for  pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
---
 rpc.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/rpc.te b/rpc.te
index 1a6dcc0..e2ea2eb 100644
--- a/rpc.te
+++ b/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
 
 ## <desc>
 ##	<p>
+##	Determine whether gssd can write
+##	generic user temporary content.
+##	</p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+##	<p>
 ##	Determine whether nfs can modify
 ##	public files used for public file
 ##	transfer services. Directories/Files must
@@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
 	userdom_read_user_tmp_symlinks(gssd_t)
 ')
 
+tunable_policy(`allow_gssd_write_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_rw_user_tmp_files(gssd_t)
+')
+
 optional_policy(`
 	automount_signal(gssd_t)
 ')
-- 
2.0.5