diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index c00a0ba..45d4ec6 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -595,6 +595,13 @@ template(`unpriv_user_template', ` kernel_dontaudit_read_ring_buffer($1_t) ') + # Allow users to rw usb devices + tunable_policy(`user_rw_usb',` + dev_rw_usbfs($1_t) + ',` + dev_read_usbfs($1_t) + ') + # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols @@ -699,13 +706,6 @@ template(`unpriv_user_template', ` allow $1_t var_lib_t:dir r_dir_perms; allow $1_t var_lib_t:file { getattr read }; - # Allow users to rw usb devices - tunable_policy(`user_rw_usb',` - rw_dir_create_file($1_t,usbdevfs_t) - ',` - r_dir_file($1_t,usbdevfs_t) - ') - # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; @@ -720,7 +720,6 @@ template(`unpriv_user_template', ` ') allow $1_t initrc_t:fifo_file write; - ') dnl end TODO ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 916c81e..1f39dfb 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.0) +policy_module(userdomain,1.3.1) gen_require(` role sysadm_r, staff_r, user_r; @@ -128,7 +128,8 @@ ifdef(`targeted_policy',` ifdef(`enable_mls',` admin_user_template(secadm) - role_change(staff, secadm) + role_change(staff,secadm) + role_change(sysadm,secadm) ') # this should be tunable_policy, but