[RFC PATCH 5/8] core: make SELinux access permissions more distinct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Make access permissions more distinct by using the new introduced permission `modify`:

  - method_set_environment           : reload -> modify
  - method_unset_environment         : reload -> modify
  - method_unset_and_set_environment : reload -> modify
  - method_set_exit_code             : exit   -> modify
  - bus_unit_method_set_properties   : start  -> modify
  - bus_unit_method_ref              : start  -> modify
---
 src/core/dbus-manager.c | 8 ++++----
 src/core/dbus-unit.c    | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index d2db6e4a61..cd66871d48 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1561,7 +1561,7 @@ static int method_set_environment(sd_bus_message *message, void *userdata, sd_bu
         assert(message);
         assert(m);
 
-        r = mac_selinux_access_check(message, "reload", error);
+        r = mac_selinux_access_check(message, "modify", error);
         if (r < 0)
                 return r;
 
@@ -1592,7 +1592,7 @@ static int method_unset_environment(sd_bus_message *message, void *userdata, sd_
         assert(message);
         assert(m);
 
-        r = mac_selinux_access_check(message, "reload", error);
+        r = mac_selinux_access_check(message, "modify", error);
         if (r < 0)
                 return r;
 
@@ -1624,7 +1624,7 @@ static int method_unset_and_set_environment(sd_bus_message *message, void *userd
         assert(message);
         assert(m);
 
-        r = mac_selinux_access_check(message, "reload", error);
+        r = mac_selinux_access_check(message, "modify", error);
         if (r < 0)
                 return r;
 
@@ -1662,7 +1662,7 @@ static int method_set_exit_code(sd_bus_message *message, void *userdata, sd_bus_
         assert(message);
         assert(m);
 
-        r = mac_selinux_access_check(message, "exit", error);
+        r = mac_selinux_access_check(message, "modify", error);
         if (r < 0)
                 return r;
 
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index f86efaac3a..37b5decf52 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -579,7 +579,7 @@ int bus_unit_method_set_properties(sd_bus_message *message, void *userdata, sd_b
         assert(message);
         assert(u);
 
-        r = mac_selinux_unit_access_check(u, message, "start", error);
+        r = mac_selinux_unit_access_check(u, message, "modify", error);
         if (r < 0)
                 return r;
 
@@ -614,7 +614,7 @@ int bus_unit_method_ref(sd_bus_message *message, void *userdata, sd_bus_error *e
         assert(message);
         assert(u);
 
-        r = mac_selinux_unit_access_check(u, message, "start", error);
+        r = mac_selinux_unit_access_check(u, message, "modify", error);
         if (r < 0)
                 return r;
 
-- 
2.24.1
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux