On 01/31/2017 01:37 PM, James Carter wrote:
In userdom_execmod_user_home_files(), user_home_type is an attribute, not a type. In userdom_read_inherited_user_home_content_files(), admin_home_t is a type, not an attribute. In userdom_dontaudit_read_inherited_admin_home_files(), admin_home_t is a type, not an attribute. Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
This doesn't currently cause any problems, but I am working on improving the checking for identifier flavor mismatches (which occur when an identifier is declared or required as a regular role or type in one place but as an attribute in another place) in checkpolicy/checkmodule.
Jim
--- policy/modules/system/userdomain.if | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 269ce67..4b0a3ed 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -4925,7 +4925,7 @@ interface(`userdom_users_dgram_send',` # interface(`userdom_execmod_user_home_files',` gen_require(` - type user_home_type; + attribute user_home_type; ') allow $1 user_home_type:file execmod; @@ -5321,7 +5321,7 @@ interface(`userdom_read_inherited_user_home_content_files',` # interface(`userdom_dontaudit_read_inherited_admin_home_files',` gen_require(` - attribute admin_home_t; + type admin_home_t; ') dontaudit $1 admin_home_t:file read_inherited_file_perms; @@ -5339,7 +5339,7 @@ interface(`userdom_dontaudit_read_inherited_admin_home_files',` # interface(`userdom_dontaudit_append_inherited_admin_home_file',` gen_require(` - attribute admin_home_t; + type admin_home_t; ') dontaudit $1 admin_home_t:file append_inherited_file_perms;
-- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
