The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.
I've had this in Debian for a while and some Debian policy relies on it.
I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.
We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited. The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
Index: refpolicy-2.20170212/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20170212.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20170212/policy/support/obj_perm_sets.spt
@@ -192,7 +192,8 @@ define(`setattr_fifo_file_perms',`{ seta
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -260,7 +261,8 @@ define(`relabel_chr_file_perms',`{ getat
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
# Sockets
On 02/12/17 06:18, Russell Coker via refpolicy wrote:
> The following patch defines new macros rw_inherited_fifo_file_perms and
> rw_inherited_term_perms for the obvious reason.
>
> I've had this in Debian for a while and some Debian policy relies on it.
>
> I think it's appropriate to include this before including any policy that
> relies on it because it's an obvious foundation for writing good policy.
>
> We could have inherited perms macros for other object types, but terminals
> and fifos are the main ones that get inherited. The next best candidate
> for such a macro is a sock_file, and that's largely due to systemd setting
> programs stdout/stderr to unix domain sockets.
>
>
> Index: refpolicy-2.20170212/policy/support/obj_perm_sets.spt
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/support/obj_perm_sets.spt
> +++ refpolicy-2.20170212/policy/support/obj_perm_sets.spt
> @@ -192,7 +192,8 @@ define(`setattr_fifo_file_perms',`{ seta
> define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
> define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
> define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
> -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
> +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
> +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
> define(`create_fifo_file_perms',`{ getattr create open }')
> define(`rename_fifo_file_perms',`{ getattr rename }')
> define(`delete_fifo_file_perms',`{ getattr unlink }')
> @@ -260,7 +261,8 @@ define(`relabel_chr_file_perms',`{ getat
> #
> # Use (read and write) terminals
> #
> -define(`rw_term_perms', `{ getattr open read write append ioctl }')
> +define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
> +define(`rw_term_perms', `{ rw_inherited_term_perms open }')
Merged.
--
Chris PeBenito