From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 12 Feb 2017 13:55:40 -0500
Subject: [refpolicy] [PATCH] inherited file and fifo perms
In-Reply-To: <20170212111815.apqpftynkfdjvbom@athena.coker.com.au>
References: <20170212111815.apqpftynkfdjvbom@athena.coker.com.au>
Message-ID: <776463eb-d378-9378-a29c-0f0889cf64b9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/12/17 06:18, Russell Coker via refpolicy wrote:
> The following patch defines new macros rw_inherited_fifo_file_perms and
> rw_inherited_term_perms for the obvious reason.
>
> I've had this in Debian for a while and some Debian policy relies on it.
>
> I think it's appropriate to include this before including any policy that
> relies on it because it's an obvious foundation for writing good policy.
>
> We could have inherited perms macros for other object types, but terminals
> and fifos are the main ones that get inherited.  The next best candidate
> for such a macro is a sock_file, and that's largely due to systemd setting
> programs stdout/stderr to unix domain sockets.
>
>
> Index: refpolicy-2.20170212/policy/support/obj_perm_sets.spt
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/support/obj_perm_sets.spt
> +++ refpolicy-2.20170212/policy/support/obj_perm_sets.spt
> @@ -192,7 +192,8 @@ define(`setattr_fifo_file_perms',`{ seta
>  define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
>  define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
>  define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
> -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
> +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
> +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
>  define(`create_fifo_file_perms',`{ getattr create open }')
>  define(`rename_fifo_file_perms',`{ getattr rename }')
>  define(`delete_fifo_file_perms',`{ getattr unlink }')
> @@ -260,7 +261,8 @@ define(`relabel_chr_file_perms',`{ getat
>  #
>  # Use (read and write) terminals
>  #
> -define(`rw_term_perms', `{ getattr open read write append ioctl }')
> +define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
> +define(`rw_term_perms', `{ rw_inherited_term_perms open }')

Merged.

-- 
Chris PeBenito