All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [ userdomain patch 1/1] Fix various interfaces to use permission sets for compatiblity with open permission.
@ 2010-03-03 16:08 Dominick Grift
  2010-03-03 16:10 ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2010-03-03 16:08 UTC (permalink / raw)
  To: refpolicy

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 b18abce... 7e541ef... M	policy/modules/system/userdomain.if
 policy/modules/system/userdomain.if |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b18abce..7e541ef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1313,7 +1313,7 @@ interface(`userdom_setattr_user_ptys',`
 		type user_devpts_t;
 	')
 
-	allow $1 user_devpts_t:chr_file setattr;
+	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
 ')
 
 ########################################
@@ -1655,7 +1655,7 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file setattr;
+	dontaudit $1 user_home_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -1730,7 +1730,7 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file append;
+	dontaudit $1 user_home_t:file append_file_perms;
 ')
 
 ########################################
@@ -1748,7 +1748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file write;
+	dontaudit $1 user_home_t:file write_file_perms;
 ')
 
 ########################################
@@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file execute;
+	dontaudit $1 user_home_t:file exec_file_perms;
 ')
 
 ########################################
@@ -2193,7 +2193,7 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
 		type user_tmp_t;
 	')
 
-	dontaudit $1 user_tmp_t:file append;
+	dontaudit $1 user_tmp_t:file append_file_perms;
 ')
 
 ########################################
@@ -2467,7 +2467,7 @@ interface(`userdom_getattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	allow $1 user_tty_device_t:chr_file getattr;
+	allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
 ')
 
 ########################################
@@ -2485,7 +2485,7 @@ interface(`userdom_dontaudit_getattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	dontaudit $1 user_tty_device_t:chr_file getattr;
+	dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
 ')
 
 ########################################
@@ -2503,7 +2503,7 @@ interface(`userdom_setattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	allow $1 user_tty_device_t:chr_file setattr;
+	allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
 ')
 
 ########################################
@@ -2521,7 +2521,7 @@ interface(`userdom_dontaudit_setattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	dontaudit $1 user_tty_device_t:chr_file setattr;
+	dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
 ')
 
 ########################################
-- 
1.6.6.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/55c5961d/attachment.bin 

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [refpolicy] [ userdomain patch 1/1] Fix various interfaces to use permission sets for compatiblity with open permission.
  2010-03-03 16:08 [refpolicy] [ userdomain patch 1/1] Fix various interfaces to use permission sets for compatiblity with open permission Dominick Grift
@ 2010-03-03 16:10 ` Christopher J. PeBenito
  2010-03-03 16:33   ` Dominick Grift
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2010-03-03 16:10 UTC (permalink / raw)
  To: refpolicy

On Wed, 2010-03-03 at 17:08 +0100, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <domg472@gmail.com>

Perhaps you're just not being precise, but getattr and setattr alone
doesn't require the open permission (I realize there are other changes
in the patch that do require open).

> ---
> :100644 100644 b18abce... 7e541ef... M	policy/modules/system/userdomain.if
>  policy/modules/system/userdomain.if |   20 ++++++++++----------
>  1 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index b18abce..7e541ef 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1313,7 +1313,7 @@ interface(`userdom_setattr_user_ptys',`
>  		type user_devpts_t;
>  	')
>  
> -	allow $1 user_devpts_t:chr_file setattr;
> +	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -1655,7 +1655,7 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file setattr;
> +	dontaudit $1 user_home_t:file setattr_file_perms;
>  ')
>  
>  ########################################
> @@ -1730,7 +1730,7 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file append;
> +	dontaudit $1 user_home_t:file append_file_perms;
>  ')
>  
>  ########################################
> @@ -1748,7 +1748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file write;
> +	dontaudit $1 user_home_t:file write_file_perms;
>  ')
>  
>  ########################################
> @@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file execute;
> +	dontaudit $1 user_home_t:file exec_file_perms;
>  ')
>  
>  ########################################
> @@ -2193,7 +2193,7 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
>  		type user_tmp_t;
>  	')
>  
> -	dontaudit $1 user_tmp_t:file append;
> +	dontaudit $1 user_tmp_t:file append_file_perms;
>  ')
>  
>  ########################################
> @@ -2467,7 +2467,7 @@ interface(`userdom_getattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	allow $1 user_tty_device_t:chr_file getattr;
> +	allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -2485,7 +2485,7 @@ interface(`userdom_dontaudit_getattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	dontaudit $1 user_tty_device_t:chr_file getattr;
> +	dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -2503,7 +2503,7 @@ interface(`userdom_setattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	allow $1 user_tty_device_t:chr_file setattr;
> +	allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -2521,7 +2521,7 @@ interface(`userdom_dontaudit_setattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	dontaudit $1 user_tty_device_t:chr_file setattr;
> +	dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
>  ')
>  
>  ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [ userdomain patch 1/1] Fix various interfaces to use permission sets for compatiblity with open permission.
  2010-03-03 16:10 ` Christopher J. PeBenito
@ 2010-03-03 16:33   ` Dominick Grift
  0 siblings, 0 replies; 3+ messages in thread
From: Dominick Grift @ 2010-03-03 16:33 UTC (permalink / raw)
  To: refpolicy

I do realize that, and yes it is a bit (too?) enthousiastic. However those permissions sets are there for a reason too.
It pretty odd though to have a getattr_file_perms set just for the getattr permission.

To the point i do nott think those non-open permission sets do harm. except maybe the exec_files_perms.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/033ef339/attachment.bin 

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-03-03 16:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-03 16:08 [refpolicy] [ userdomain patch 1/1] Fix various interfaces to use permission sets for compatiblity with open permission Dominick Grift
2010-03-03 16:10 ` Christopher J. PeBenito
2010-03-03 16:33   ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.