Is the usercanread attribute still needed?

Is the usercanread attribute still needed?

[Ryan Bradetich]

[-- Attachment #1: Type: text/plain, Size: 1127 bytes --]

Hello all,

I noticed the apache.te file used the file_types() macro instead of
the file_config_file() macro for the configuration files, so I looked
into the differences between the macros.

The files_config_file macro is listed below:

interface(`files_config_file',`
        gen_require(`
                attribute usercanread;
        ')

        files_type($1)

        # this is a hack and should be removed.
        typeattribute $1 usercanread;
')


After reading the comment above the typeattribute, I was curious to
figure out what the usercanread attribute was used for. Looking
through the SVN tree I found the following uses.

$ find . -type f | xargs grep  usercanread | grep -v '.svn'
./modules/kernel/files.if:              attribute usercanread;
./modules/kernel/files.if:      typeattribute $1 usercanread;
./modules/kernel/files.te:attribute usercanread;


I used the attached patched to remove the attribute from the files.te
and files.if file and the policy still compiled.  Is it safe to assume
we can remove the attribute now?  Or is the hack still needed for
something I am not seeing?

Thanks!

- Ryan

[-- Attachment #2: files.patch --]
[-- Type: text/x-patch, Size: 849 bytes --]

Index: policy/modules/kernel/files.if
===================================================================
--- policy/modules/kernel/files.if	(revision 2181)
+++ policy/modules/kernel/files.if	(working copy)
@@ -110,14 +110,7 @@
 ## </param>
 #
 interface(`files_config_file',`
-	gen_require(`
-		attribute usercanread;
-	')
-
 	files_type($1)
-
-	# this is a hack and should be removed.
-	typeattribute $1 usercanread;
 ')
 
 ########################################
Index: policy/modules/kernel/files.te
===================================================================
--- policy/modules/kernel/files.te	(revision 2181)
+++ policy/modules/kernel/files.te	(working copy)
@@ -30,9 +30,6 @@
 attribute tmpfile;
 attribute tmpfsfile;
 
-# this is a hack and should be changed
-attribute usercanread;
-
 #
 # boot_t is the type for files in /boot
 #

Re: Is the usercanread attribute still needed?

[Christopher J. PeBenito]

On Sun, 2007-02-18 at 16:33 -0800, Ryan Bradetich wrote:
> Hello all,
> 
> I noticed the apache.te file used the file_types() macro instead of
> the file_config_file() macro for the configuration files, so I looked
> into the differences between the macros.
> 
> The files_config_file macro is listed below:
> 
> interface(`files_config_file',`
>         gen_require(`
>                 attribute usercanread;
>         ')
> 
>         files_type($1)
> 
>         # this is a hack and should be removed.
>         typeattribute $1 usercanread;
> ')
> 
> 
> After reading the comment above the typeattribute, I was curious to
> figure out what the usercanread attribute was used for. Looking
> through the SVN tree I found the following uses.
> 
> $ find . -type f | xargs grep  usercanread | grep -v '.svn'
> ./modules/kernel/files.if:              attribute usercanread;
> ./modules/kernel/files.if:      typeattribute $1 usercanread;
> ./modules/kernel/files.te:attribute usercanread;
> 
> 
> I used the attached patched to remove the attribute from the files.te
> and files.if file and the policy still compiled.  Is it safe to assume
> we can remove the attribute now?  Or is the hack still needed for
> something I am not seeing?

Since modules are statically compiled, we can't completely remove the
attribute yet, otherwise it might cause some policies to fail to link if
it is still required.  However, the typeattribute could be removed from
files_config_file().

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is the usercanread attribute still needed?

[Ryan Bradetich]

Sorry all,

I forgot to include the SELinux mailing list.

Thanks,

- Ryan

On 2/20/07, Ryan Bradetich <rbradetich@gmail.com> wrote:
> Hello Chris,
>
> Thanks much for your reply!
> I have attached an updated patch that leaves the attribute definition
> in the files.te file.
>
> Just out of curiosity, what is the policy for obsoleting these attributes?
> At next policy file rev?
>
> Thanks!
>
> - Ryan
>
>
> On 2/20/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> > Since modules are statically compiled, we can't completely remove the
> > attribute yet, otherwise it might cause some policies to fail to link if
> > it is still required.  However, the typeattribute could be removed from
> > files_config_file().
> >
> > --
> > Chris PeBenito
> > Tresys Technology, LLC
> > (410) 290-1411 x150
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is the usercanread attribute still needed?

[Christopher J. PeBenito]

> On 2/20/07, Ryan Bradetich <rbradetich@gmail.com> wrote:
> > Hello Chris,
> >
> > Thanks much for your reply!
> > I have attached an updated patch that leaves the attribute definition
> > in the files.te file.
> >
> > Just out of curiosity, what is the policy for obsoleting these attributes?
> > At next policy file rev?

It has to stay around for "a reasonable transition time".  Since this is
a fairly widely used interface, it'll probably have to stay for a few
releases.

Please resend the patch to the list.

> > On 2/20/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> > > Since modules are statically compiled, we can't completely remove the
> > > attribute yet, otherwise it might cause some policies to fail to link if
> > > it is still required.  However, the typeattribute could be removed from
> > > files_config_file().

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is the usercanread attribute still needed?

[Ryan Bradetich]

[-- Attachment #1: Type: text/plain, Size: 1172 bytes --]

Hello Chris,

I thought I did forward the patch, but it looks like the foward
stripped the patch :(
Here is the patch again.

Thanks!

- Ryan



On 2/23/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> > On 2/20/07, Ryan Bradetich <rbradetich@gmail.com> wrote:
> > > Hello Chris,
> > >
> > > Thanks much for your reply!
> > > I have attached an updated patch that leaves the attribute definition
> > > in the files.te file.
> > >
> > > Just out of curiosity, what is the policy for obsoleting these attributes?
> > > At next policy file rev?
>
> It has to stay around for "a reasonable transition time".  Since this is
> a fairly widely used interface, it'll probably have to stay for a few
> releases.
>
> Please resend the patch to the list.
>
> > > On 2/20/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> > > > Since modules are statically compiled, we can't completely remove the
> > > > attribute yet, otherwise it might cause some policies to fail to link if
> > > > it is still required.  However, the typeattribute could be removed from
> > > > files_config_file().
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>

[-- Attachment #2: files2.patch --]
[-- Type: text/x-patch, Size: 1016 bytes --]

Index: policy/modules/kernel/files.if
===================================================================
--- policy/modules/kernel/files.if	(revision 2182)
+++ policy/modules/kernel/files.if	(working copy)
@@ -110,14 +110,7 @@
 ## </param>
 #
 interface(`files_config_file',`
-	gen_require(`
-		attribute usercanread;
-	')
-
 	files_type($1)
-
-	# this is a hack and should be removed.
-	typeattribute $1 usercanread;
 ')
 
 ########################################
Index: policy/modules/kernel/files.te
===================================================================
--- policy/modules/kernel/files.te	(revision 2182)
+++ policy/modules/kernel/files.te	(working copy)
@@ -30,7 +30,9 @@
 attribute tmpfile;
 attribute tmpfsfile;
 
-# this is a hack and should be changed
+# this attribute is not currently used and should be removed in the future.
+# unfortenately, this attribute can nob be removed yet because it may fail
+# some policies to fail to link if it is still required.
 attribute usercanread;
 
 #

Re: Is the usercanread attribute still needed?

[Christopher J. PeBenito]

On Sat, 2007-02-24 at 08:02 -0800, Ryan Bradetich wrote:
> I thought I did forward the patch, but it looks like the foward
> stripped the patch :(
> Here is the patch again.

Merged.

> On 2/23/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> > > On 2/20/07, Ryan Bradetich <rbradetich@gmail.com> wrote:
> > > > Hello Chris,
> > > >
> > > > Thanks much for your reply!
> > > > I have attached an updated patch that leaves the attribute definition
> > > > in the files.te file.
> > > >
> > > > Just out of curiosity, what is the policy for obsoleting these attributes?
> > > > At next policy file rev?
> >
> > It has to stay around for "a reasonable transition time".  Since this is
> > a fairly widely used interface, it'll probably have to stay for a few
> > releases.
> >
> > Please resend the patch to the list.
> >
> > > > On 2/20/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> > > > > Since modules are statically compiled, we can't completely remove the
> > > > > attribute yet, otherwise it might cause some policies to fail to link if
> > > > > it is still required.  However, the typeattribute could be removed from
> > > > > files_config_file().
> >
> > --
> > Chris PeBenito
> > Tresys Technology, LLC
> > (410) 290-1411 x150
> >
> >
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.