1 |
commit: 725c7384ee245e84f7fe137d425f1539ec56fc6c |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Thu Oct 18 18:08:15 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 17:59:21 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=725c7384 |
7 |
|
8 |
Changes to the user domain policy module |
9 |
|
10 |
Content that (at least) common users need to be able to relabel and |
11 |
create with a type transition |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++ |
17 |
1 files changed, 23 insertions(+), 0 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
20 |
index 6551910..208799e 100644 |
21 |
--- a/policy/modules/system/userdomain.if |
22 |
+++ b/policy/modules/system/userdomain.if |
23 |
@@ -596,6 +596,7 @@ template(`userdom_common_user_template',` |
24 |
') |
25 |
|
26 |
optional_policy(` |
27 |
+ alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") |
28 |
alsa_manage_home_files($1_t) |
29 |
alsa_read_rw_config($1_t) |
30 |
alsa_relabel_home_files($1_t) |
31 |
@@ -650,9 +651,20 @@ template(`userdom_common_user_template',` |
32 |
') |
33 |
|
34 |
optional_policy(` |
35 |
+ kerberos_manage_krb5_home_files($1_t) |
36 |
+ kerberos_relabel_krb5_home_files($1_t) |
37 |
+ kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") |
38 |
+ ') |
39 |
+ |
40 |
+ optional_policy(` |
41 |
locate_read_lib_files($1_t) |
42 |
') |
43 |
|
44 |
+ optional_policy(` |
45 |
+ mpd_manage_user_data_content($1_t) |
46 |
+ mpd_relabel_user_data_content($1_t) |
47 |
+ ') |
48 |
+ |
49 |
# for running depmod as part of the kernel packaging process |
50 |
optional_policy(` |
51 |
modutils_read_module_config($1_t) |
52 |
@@ -666,11 +678,16 @@ template(`userdom_common_user_template',` |
53 |
tunable_policy(`allow_user_mysql_connect',` |
54 |
mysql_stream_connect($1_t) |
55 |
') |
56 |
+ |
57 |
+ mysql_manage_mysqld_home_files($1_t) |
58 |
+ mysql_relabel_mysqld_home_files($1_t) |
59 |
+ mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") |
60 |
') |
61 |
|
62 |
optional_policy(` |
63 |
oident_manage_user_content($1_t) |
64 |
oident_relabel_user_content($1_t) |
65 |
+ oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf") |
66 |
') |
67 |
|
68 |
optional_policy(` |
69 |
@@ -691,6 +708,12 @@ template(`userdom_common_user_template',` |
70 |
') |
71 |
|
72 |
optional_policy(` |
73 |
+ ppp_manage_home_files($1_t) |
74 |
+ ppp_relabel_home_files($1_t) |
75 |
+ ppp_home_filetrans_ppp_home($1_t, file, ".ppprc") |
76 |
+ ') |
77 |
+ |
78 |
+ optional_policy(` |
79 |
resmgr_stream_connect($1_t) |
80 |
') |