From: aranea@aixah.de (Luis Ressel) Date: Tue, 12 Sep 2017 04:45:33 +0200 Subject: [refpolicy] [PATCH 3/3] miscfiles: Allow libfontconfig consumers to map the fonts cache In-Reply-To: References: <20170911220239.1953-1-aranea@aixah.de> <20170911220239.1953-3-aranea@aixah.de> Message-ID: <20170912044533.3b4b86cb@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 11 Sep 2017 20:23:46 -0400 Chris PeBenito wrote: > On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote: > > --- > > policy/modules/system/miscfiles.if | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/policy/modules/system/miscfiles.if > > b/policy/modules/system/miscfiles.if index 0e0ac3bf..e4918b47 100644 > > --- a/policy/modules/system/miscfiles.if > > +++ b/policy/modules/system/miscfiles.if > > @@ -151,6 +151,7 @@ interface(`miscfiles_read_fonts',` > > > > allow $1 fonts_cache_t:dir list_dir_perms; > > read_files_pattern($1, fonts_cache_t, fonts_cache_t) > > + allow $1 fonts_cache_t:file map; > > read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) > > ') > > Are you sure that all users of this interface are from libfontconfig? > After looking at your other patches, I'm starting to wonder if more > abstract interfaces are worthwhile, similar to > seutil_libselinux_linked(). Then we could reasonably add the map in > a libfontconfig_linked() interface without fear of future users > getting unnecessary perms on this generic interface. > Considering that the only path we're labeling fonts_cache_t is /var/cache/fontconfig: Yes, I am pretty sure that only libfontconfig consumers need acccess permissions for fonts_cache_t. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/5089071b/attachment.bin