From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 12 Feb 2017 13:55:40 -0500 Subject: [refpolicy] [PATCH] inherited file and fifo perms In-Reply-To: <20170212111815.apqpftynkfdjvbom@athena.coker.com.au> References: <20170212111815.apqpftynkfdjvbom@athena.coker.com.au> Message-ID: <776463eb-d378-9378-a29c-0f0889cf64b9@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/12/17 06:18, Russell Coker via refpolicy wrote: > The following patch defines new macros rw_inherited_fifo_file_perms and > rw_inherited_term_perms for the obvious reason. > > I've had this in Debian for a while and some Debian policy relies on it. > > I think it's appropriate to include this before including any policy that > relies on it because it's an obvious foundation for writing good policy. > > We could have inherited perms macros for other object types, but terminals > and fifos are the main ones that get inherited. The next best candidate > for such a macro is a sock_file, and that's largely due to systemd setting > programs stdout/stderr to unix domain sockets. > > > Index: refpolicy-2.20170212/policy/support/obj_perm_sets.spt > =================================================================== > --- refpolicy-2.20170212.orig/policy/support/obj_perm_sets.spt > +++ refpolicy-2.20170212/policy/support/obj_perm_sets.spt > @@ -192,7 +192,8 @@ define(`setattr_fifo_file_perms',`{ seta > define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') > define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') > define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') > -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') > +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') > +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') > define(`create_fifo_file_perms',`{ getattr create open }') > define(`rename_fifo_file_perms',`{ getattr rename }') > define(`delete_fifo_file_perms',`{ getattr unlink }') > @@ -260,7 +261,8 @@ define(`relabel_chr_file_perms',`{ getat > # > # Use (read and write) terminals > # > -define(`rw_term_perms', `{ getattr open read write append ioctl }') > +define(`rw_inherited_term_perms', `{ getattr read write append ioctl }') > +define(`rw_term_perms', `{ rw_inherited_term_perms open }') Merged. -- Chris PeBenito