[refpolicy] [ userdomain patch 1/1] Allow domains that call userdom_tmp_role() to relabel generic user_tmp_t file objects.
Christopher J. PeBenito
cpebenito at tresys.com
Tue Jul 6 11:08:25 CDT 2010
On 07/06/10 10:31, Dominick Grift wrote:
> I encountered this requirement when using poly-instantiation:
>
> denied { relabelfrom } for pid=14189 comm="sshd" name="system_u:object_r:tmp_t:s0_domg472" dev=dm-3 ino=2884342 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
>
> Athough in refpolicy sshd_t does not call userdom_tmp_role (Makes me wonder how refpolicy deals with poly-instantiation.
Not sure what you mean here, but sshd_t should never be calling
userdom_tmp_role(). That interface is only for building user roles/user
domains.
> Nonetheless, to me it seems to make sense that if one give access to manage a type, you may also want to give relabel perms.
NAK Relabeling is special. There are a few exceptions, but it should
almost always be separate from manage permissions.
> Oh, and it is untested (but i commited this to my branch and i will test it when i build a new version)
>
> Signed-off-by: Dominick Grift<domg472 at gmail.com>
> ---
> :100644 100644 42d4e8d... 72203a0... M policy/modules/system/userdomain.if
> policy/modules/system/userdomain.if | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 42d4e8d..72203a0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -303,6 +303,12 @@ interface(`userdom_manage_tmp_role',`
> manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
> manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
> files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
> +
> + relabel_dirs_pattern($2, user_tmp_t, user_tmp_t)
> + relabel_files_pattern($2, user_tmp_t, user_tmp_t)
> + relabel_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
> + relabel_sock_files_pattern($2, user_tmp_t, user_tmp_t)
> + relabel_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
> ')
>
> #######################################
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list