b64a53494f
To simplify policy management on the various application domains with respect to user content access, a template is introduced which generates four tunable_policy() blocks. - The *_read_generic_user_content boolean will enable the application domain to read generic user resources (labeled with user_home_t). - The *_read_all_user_content boolean does the same, but for all user resources (those associated with the user_home_content_type attribute). - The *_manage_generic_user_content boolean enables the application to manage generic user resources (labeled with user_home_t) - The *_manage_all_user_content boolean does the same, but for all user reosurces (those associated with the user_home_content_type attribute). Although it would be even better to generate the booleans themselves as well (which is what Gentoo does with this template), it would result in booleans without proper documentation. Calls such as "semanage boolean -l" would fail to properly show a description on the boolean - something Gentoo resolves by keeping this documentation separate in a doc/gentoo_tunables.xml file. In this patch, we assume that the calling modules will define the booleans themselves (with appropriate documentation). The template checks for the existence of the booleans. This approach is more in line with how domain-specific booleans are managed up to now. Changes since v2: - Fix typo in gen_require (had a closing : instead of ;) Changes since v1: - Use in-line XML comment and tunable definition Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> |
||
|---|---|---|
| .. | ||
| admin | ||
| apps | ||
| contrib@f39e8bd2eb | ||
| kernel | ||
| roles | ||
| services | ||
| system | ||