[refpolicy] [ userdomain patch 1/1] Allow domains that call userdom_tmp_role() to relabel generic user_tmp_t file objects.
Christopher J. PeBenito
cpebenito at tresys.com
Tue Jul 6 12:02:49 CDT 2010
On 07/06/10 12:22, Dominick Grift wrote:
> On Tue, Jul 06, 2010 at 12:08:25PM -0400, Christopher J. PeBenito wrote:
>> On 07/06/10 10:31, Dominick Grift wrote:
>>> I encountered this requirement when using poly-instantiation:
>>>
>>> denied { relabelfrom } for pid=14189 comm="sshd" name="system_u:object_r:tmp_t:s0_domg472" dev=dm-3 ino=2884342 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
>>>
>>> Athough in refpolicy sshd_t does not call userdom_tmp_role (Makes me wonder how refpolicy deals with poly-instantiation.
>>
>> Not sure what you mean here, but sshd_t should never be calling
>> userdom_tmp_role(). That interface is only for building user
>> roles/user domains.
>
> pulseaudio.if: pulseaudio_role:
>
> userdom_manage_home_role($1, pulseaudio_t)
> userdom_manage_tmp_role($1, pulseaudio_t)
> userdom_manage_tmpfs_role($1, pulseaudio_t)
>
> wm.if: wm_role:
>
> userdom_manage_home_role($2, $1_wm_t)
> userdom_manage_tmpfs_role($2, $1_wm_t)
> userdom_manage_tmp_role($2, $1_wm_t)
>
> etc
I'm already working on removing these.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list