Patch: selinux-policy: concept: let users relabel their user_home_t files to user_tmp_t and vice versa.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Attached you will find a concept patch that should allow users to
relabel $1_home_t to $1_tmp_t and vice versa.

I was testing the patch program and noticed that it wanted to relabel a
file on my desktop from user_tmp_t to user_home_t:

[domg472@sulphur Desktop]$ patch -p0 < test.patch
patching file ktalk.te
patch: **** Can't set security context on file ktalk.te : Permission
denied
[domg472@sulphur Desktop]$ less ktalk.te
[domg472@sulphur Desktop]$ ls -alZ | grep ktalk.te*
drwxr-xr-x  domg472 domg472 domg472:object_r:user_home_t
-rw-rw-r--  domg472 domg472 domg472:object_r:user_tmp_t      ktalk.te
-rw-rw-r--  domg472 domg472 domg472:object_r:user_tmp_t
ktalk.te.rej

I suspect patch moves file objects from /tmp to ~/Desktop in this
scenario, and therefore the file object has a wrong type. 
type=AVC msg=audit(1216322317.253:231): avc:  denied  { relabelfrom }
for  pid=26588 comm="patch" name="ktalk.te" dev=dm-1 ino=1827227
scontext=domg472:staff_r:staff_t:s0-s0:c0.c1023
tcontext=domg472:object_r:user_tmp_t:s0 tclass=file


-- 
Dominick Grift <domg472@xxxxxxxxx>

Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/userdomain.if
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/userdomain.if	(revision 2758)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/userdomain.if	(working copy)
@@ -263,6 +263,7 @@
 
 	# full control of the home directory
 	allow $1_t $1_home_t:file entrypoint;
+	allow $1_t $1_home_t:dir_file_class_set { relabelto relabelfrom };
 	manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
 	manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
 	manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
@@ -375,11 +376,17 @@
 	type $1_tmp_t, $1_file_type;
 	files_tmp_file($1_tmp_t)
 
+	allow $1_t $1_tmp_t:dir_file_class_set { relabelto relabelfrom };
 	manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
 	manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
 	manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
 	manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
 	manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	relabel_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	relabel_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	relabel_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	relabel_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	relabel_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
 ')

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux