[refpolicy] [ userdomain patch RETRY 1/1] Various permission set fixes.

[refpolicy] [ userdomain patch RETRY 1/1] Various permission set fixes.

[Dominick Grift]

Fix various interfaces to use permission sets for compatiblity with open permission.

Also use other permission sets where possible just because applicable permissions sets are available and the use of permission sets is encourage generally for compatibility.

The use of exec_file_perms permission set may be not be a good idea though since it may be a bit too coarse.
 
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 b18abce... 7e541ef... M	policy/modules/system/userdomain.if
 policy/modules/system/userdomain.if |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b18abce..7e541ef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1313,7 +1313,7 @@ interface(`userdom_setattr_user_ptys',`
 		type user_devpts_t;
 	')
 
-	allow $1 user_devpts_t:chr_file setattr;
+	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
 ')
 
 ########################################
@@ -1655,7 +1655,7 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file setattr;
+	dontaudit $1 user_home_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -1730,7 +1730,7 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file append;
+	dontaudit $1 user_home_t:file append_file_perms;
 ')
 
 ########################################
@@ -1748,7 +1748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file write;
+	dontaudit $1 user_home_t:file write_file_perms;
 ')
 
 ########################################
@@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:file execute;
+	dontaudit $1 user_home_t:file exec_file_perms;
 ')
 
 ########################################
@@ -2193,7 +2193,7 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
 		type user_tmp_t;
 	')
 
-	dontaudit $1 user_tmp_t:file append;
+	dontaudit $1 user_tmp_t:file append_file_perms;
 ')
 
 ########################################
@@ -2467,7 +2467,7 @@ interface(`userdom_getattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	allow $1 user_tty_device_t:chr_file getattr;
+	allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
 ')
 
 ########################################
@@ -2485,7 +2485,7 @@ interface(`userdom_dontaudit_getattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	dontaudit $1 user_tty_device_t:chr_file getattr;
+	dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
 ')
 
 ########################################
@@ -2503,7 +2503,7 @@ interface(`userdom_setattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	allow $1 user_tty_device_t:chr_file setattr;
+	allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
 ')
 
 ########################################
@@ -2521,7 +2521,7 @@ interface(`userdom_dontaudit_setattr_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	dontaudit $1 user_tty_device_t:chr_file setattr;
+	dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
 ')
 
 ########################################
-- 
1.6.6.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100303/8bc4a0b5/attachment.bin 

[refpolicy] [ userdomain patch RETRY 1/1] Various permission set fixes.

[Christopher J. PeBenito]

On Wed, 2010-03-03 at 17:54 +0100, Dominick Grift wrote:
> Fix various interfaces to use permission sets for compatiblity with open permission.
> 
> Also use other permission sets where possible just because applicable permissions sets are available and the use of permission sets is encourage generally for compatibility.
> 
> The use of exec_file_perms permission set may be not be a good idea though since it may be a bit too coarse.

Merged.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 b18abce... 7e541ef... M	policy/modules/system/userdomain.if
>  policy/modules/system/userdomain.if |   20 ++++++++++----------
>  1 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index b18abce..7e541ef 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1313,7 +1313,7 @@ interface(`userdom_setattr_user_ptys',`
>  		type user_devpts_t;
>  	')
>  
> -	allow $1 user_devpts_t:chr_file setattr;
> +	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -1655,7 +1655,7 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file setattr;
> +	dontaudit $1 user_home_t:file setattr_file_perms;
>  ')
>  
>  ########################################
> @@ -1730,7 +1730,7 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file append;
> +	dontaudit $1 user_home_t:file append_file_perms;
>  ')
>  
>  ########################################
> @@ -1748,7 +1748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file write;
> +	dontaudit $1 user_home_t:file write_file_perms;
>  ')
>  
>  ########################################
> @@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
>  		type user_home_t;
>  	')
>  
> -	dontaudit $1 user_home_t:file execute;
> +	dontaudit $1 user_home_t:file exec_file_perms;
>  ')
>  
>  ########################################
> @@ -2193,7 +2193,7 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
>  		type user_tmp_t;
>  	')
>  
> -	dontaudit $1 user_tmp_t:file append;
> +	dontaudit $1 user_tmp_t:file append_file_perms;
>  ')
>  
>  ########################################
> @@ -2467,7 +2467,7 @@ interface(`userdom_getattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	allow $1 user_tty_device_t:chr_file getattr;
> +	allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -2485,7 +2485,7 @@ interface(`userdom_dontaudit_getattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	dontaudit $1 user_tty_device_t:chr_file getattr;
> +	dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -2503,7 +2503,7 @@ interface(`userdom_setattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	allow $1 user_tty_device_t:chr_file setattr;
> +	allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
>  ')
>  
>  ########################################
> @@ -2521,7 +2521,7 @@ interface(`userdom_dontaudit_setattr_user_ttys',`
>  		type user_tty_device_t;
>  	')
>  
> -	dontaudit $1 user_tty_device_t:chr_file setattr;
> +	dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
>  ')
>  
>  ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150