[refpolicy] [PATCH 2/3] user access to DOS files

Dominick Grift dominick.grift at gmail.com
Wed Sep 5 02:00:28 CDT 2012



On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
> On 04/09/2012 23:21, Laurent Bigonville wrote:
> > From: Mika Pflüger <debian at mikapflueger.de>
> >
> > Add a new boolean to grant users access to dosfs_t.
> > ---
> >   policy/global_tunables              |    7 +++++++
> >   policy/modules/system/userdomain.if |    6 ++++++
> >   2 files changed, 13 insertions(+)
> >
> > diff --git a/policy/global_tunables b/policy/global_tunables
> > index 4705ab6..43cc19a 100644
> > --- a/policy/global_tunables
> > +++ b/policy/global_tunables
> > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
> >   ## </p>
> >   ## </desc>
> >   gen_tunable(user_tcp_server,false)
> > +
> > +## <desc>
> > +## <p>
> > +## Allow users to manage files on dosfs_t devices, usually removable media
> > +## </p>
> > +## </desc>
> > +gen_tunable(user_manage_dos_files,true)
> 
> In my opinion is good to have this as on option, but in a secure 
> environment the default should be false for removable media.

i would prefer the boolean to be fprefix userdom or userdomain instead
of user, because that it the module that declares this boolean.

Since the user is also allowed to manage dos dirs i would probably call
it: userdomain_manage_dos_content

as description i would use:

"Determine whether users can manage dosfs content."

> > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > index e720dcd..0c96b65 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
> >   		# Allow making the stack executable via mprotect.
> >   		allow $1_t self:process execstack;
> >   	')
> > +
> > +	tunable_policy(`user_manage_dos_files',`
> > +		fs_manage_dos_dirs($1_t)
> > +		fs_manage_dos_files($1_t)
> > +	')
> > +
> >   ')
> >
> >   #######################################
> >
> 
> Regards,
> 
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy




More information about the refpolicy mailing list