Interface between applications. (Re: [PATCH] independent with attribute declararion oeder for attachment)

[KaiGai Kohei <kaigai@kaigai.gr.jp>]

[-- Attachment #1: Type: text/plain, Size: 2626 bytes --]

Hi, Stephen. Thanks for your comments.

I didn't know why did the disabled section exist in checkpolicy.
Excuse me, I have worked on SELinux for only one year and a few monthes.

>>Currently, we must declare an attribute before attachment to any types.
>>Thus, almost attributes are declared in attrib.te and attrib.te's merging
>>order for policy.conf is earlier than any *.te files.
> 
> 
> That was intentional; it ensured that one could easily review all
> defined attribute with some inline documentation (comments) in one
> location.  Of course, since that time, people have introduced some
> attribute definitions in other .te files, although primarily in macros.
> And some of the attribute definitions are domain-specific, e.g. the
> nscd_*_domain ones.

OK. I'll think it as a policy-writing guideline that an attribute must
be declared in application specific macros file when we want to declare
the application specific attribtue.
# Maybe, it should be append to one of FAQs.

> As an example, one could have a typo in an attribute name, which would
> no longer be caught by the compiler.  In that case, you wouldn't get the
> expected allow rules generated for the type.   You note that this is
> "harmless" because it simply means fewer permissions being allowed, but
> it could have unexpected results, e.g. lack of proper attributes on a
> domain or type could prevent the admin or init from killing a process or
> acting on a file (until the policy was fixed, of course).

Indeed, a typo may cause lack of crucial permissions.
I can print a message to avoid it, but checkpolicy can't distinguish
any typoes from intentionally ignored attributes.
So, please leave a prior patch for a while. orz

>>BTW, I noticed a problem that any CGI program works in httpd_sys_script_t can not
>>connect to PostgreSQL via UNIX domain socket. This patch resolve it.
>>Since I think configuration for apache is done in postgresql.te is strange,
>>I used postgresql_connectable_a as a interface for PostgreSQL client application.
> 
> 
> I think that the reference policy is addressing this kind of issue by
> exporting explicit macro interfaces for every case where you need to
> export access to a type defined in one module to another module.

The attached macro is an example of explicit interfaces by macro.
I think deep dependency relationship between two or more applications
are so complication and easy to cause human error.
I think we should disestablish policies described directly between some
applications, and define an interface by macros or attributes on intead.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: pgsql-interface.patch --]
[-- Type: text/plain, Size: 2181 bytes --]

diff -rNU3 policy-1.23.17/domains/program/unused/apache.te policy-1.23.17.kg/domains/program/unused/apache.te
--- policy-1.23.17/domains/program/unused/apache.te	2005-05-25 11:28:28.000000000 -0400
+++ policy-1.23.17.kg/domains/program/unused/apache.te	2005-06-14 09:41:49.000000000 -0400
@@ -219,6 +219,11 @@
 # Creation of lock files for apache2
 lock_domain(httpd)
 
+# connect to PostgreSQL
+postgresql_connectable_domain(httpd_t)
+postgresql_connectable_domain(httpd_php_t)
+postgresql_connectable_domain(httpd_sys_script_t)
+
 # connect to mysql
 ifdef(`mysqld.te', `
 can_unix_connect(httpd_php_t, mysqld_t)
diff -rNU3 policy-1.23.17/domains/program/unused/postgresql.te policy-1.23.17.kg/domains/program/unused/postgresql.te
--- policy-1.23.17/domains/program/unused/postgresql.te	2005-05-25 11:28:28.000000000 -0400
+++ policy-1.23.17.kg/domains/program/unused/postgresql.te	2005-06-14 09:41:36.000000000 -0400
@@ -113,13 +113,6 @@
 allow postgresql_t mail_spool_t:dir { search };
 lock_domain(postgresql)
 can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
-ifdef(`apache.te', `
-# 
-# Allow httpd to work with postgresql
-#
-allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
-can_unix_connect(httpd_t, postgresql_t)
-')
 
 ifdef(`distro_gentoo', `
 # "su - postgres ..." is called from initrc_t
diff -rNU3 policy-1.23.17/macros/program/postgresql_macros.te policy-1.23.17.kg/macros/program/postgresql_macros.te
--- policy-1.23.17/macros/program/postgresql_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.17.kg/macros/program/postgresql_macros.te	2005-06-14 09:41:08.000000000 -0400
@@ -0,0 +1,16 @@
+# Macros for PostgreSQL
+
+#-----------------------------------------------------
+# An Interface for a domain can connect to PostgreSQL
+#                             (via UNIX domain socket)
+# usage: postgresql_connectable_domain(DOMAIN)
+
+define(`postgresql_connectable_domain',`
+ifdef(`postgresql.te',`
+allow $1 tmp_t:dir {search getattr};
+allow $1 postgresql_tmp_t:sock_file rw_file_perms;
+can_unix_connect($1, postgresql_t)
+
+',`') dnl The End Of postgresql.te
+') dnl The End Of postgresql_connectable_domain
+