| 1 |
commit: 725c7384ee245e84f7fe137d425f1539ec56fc6c |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Thu Oct 18 18:08:15 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Wed Oct 31 17:59:21 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=725c7384 |
| 7 |
|
| 8 |
Changes to the user domain policy module |
| 9 |
|
| 10 |
Content that (at least) common users need to be able to relabel and |
| 11 |
create with a type transition |
| 12 |
|
| 13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 14 |
|
| 15 |
--- |
| 16 |
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++ |
| 17 |
1 files changed, 23 insertions(+), 0 deletions(-) |
| 18 |
|
| 19 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
| 20 |
index 6551910..208799e 100644 |
| 21 |
--- a/policy/modules/system/userdomain.if |
| 22 |
+++ b/policy/modules/system/userdomain.if |
| 23 |
@@ -596,6 +596,7 @@ template(`userdom_common_user_template',` |
| 24 |
') |
| 25 |
|
| 26 |
optional_policy(` |
| 27 |
+ alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") |
| 28 |
alsa_manage_home_files($1_t) |
| 29 |
alsa_read_rw_config($1_t) |
| 30 |
alsa_relabel_home_files($1_t) |
| 31 |
@@ -650,9 +651,20 @@ template(`userdom_common_user_template',` |
| 32 |
') |
| 33 |
|
| 34 |
optional_policy(` |
| 35 |
+ kerberos_manage_krb5_home_files($1_t) |
| 36 |
+ kerberos_relabel_krb5_home_files($1_t) |
| 37 |
+ kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") |
| 38 |
+ ') |
| 39 |
+ |
| 40 |
+ optional_policy(` |
| 41 |
locate_read_lib_files($1_t) |
| 42 |
') |
| 43 |
|
| 44 |
+ optional_policy(` |
| 45 |
+ mpd_manage_user_data_content($1_t) |
| 46 |
+ mpd_relabel_user_data_content($1_t) |
| 47 |
+ ') |
| 48 |
+ |
| 49 |
# for running depmod as part of the kernel packaging process |
| 50 |
optional_policy(` |
| 51 |
modutils_read_module_config($1_t) |
| 52 |
@@ -666,11 +678,16 @@ template(`userdom_common_user_template',` |
| 53 |
tunable_policy(`allow_user_mysql_connect',` |
| 54 |
mysql_stream_connect($1_t) |
| 55 |
') |
| 56 |
+ |
| 57 |
+ mysql_manage_mysqld_home_files($1_t) |
| 58 |
+ mysql_relabel_mysqld_home_files($1_t) |
| 59 |
+ mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") |
| 60 |
') |
| 61 |
|
| 62 |
optional_policy(` |
| 63 |
oident_manage_user_content($1_t) |
| 64 |
oident_relabel_user_content($1_t) |
| 65 |
+ oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf") |
| 66 |
') |
| 67 |
|
| 68 |
optional_policy(` |
| 69 |
@@ -691,6 +708,12 @@ template(`userdom_common_user_template',` |
| 70 |
') |
| 71 |
|
| 72 |
optional_policy(` |
| 73 |
+ ppp_manage_home_files($1_t) |
| 74 |
+ ppp_relabel_home_files($1_t) |
| 75 |
+ ppp_home_filetrans_ppp_home($1_t, file, ".ppprc") |
| 76 |
+ ') |
| 77 |
+ |
| 78 |
+ optional_policy(` |
| 79 |
resmgr_stream_connect($1_t) |
| 80 |
') |
Archives