* [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes.
@ 2010-02-24 12:41 Dominick Grift
2010-03-04 14:23 ` Christopher J. PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2010-02-24 12:41 UTC (permalink / raw)
To: refpolicy
Allow domains to search /var/lib to enable interaction with arpwatch data.
Allow domains to search /tmp to enable interaction with arpwatch tmp content.
Create arpwatch initrc domtrans.
Call arpwatch initrc domtrans from arpwatch_admin.
Remove obsolete require.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 92e2dc8... 0c3e830... M policy/modules/services/arpwatch.if
policy/modules/services/arpwatch.if | 25 +++++++++++++++++++++++--
1 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index 92e2dc8..0c3e830 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`arpwatch_initrc_domtrans',`
+ gen_require(`
+ type arpwatch_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Search arpwatch's data file directories.
## </summary>
## <param name="domain">
@@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
type arpwatch_data_t;
')
+ files_search_var_lib($1)
allow $1 arpwatch_data_t:dir search_dir_perms;
')
@@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
type arpwatch_data_t;
')
+ files_search_var_lib($1)
manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
')
@@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
type arpwatch_tmp_t;
')
+ files_search_tmp($1)
allow $1 arpwatch_tmp_t:file rw_file_perms;
')
@@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
type arpwatch_tmp_t;
')
+ files_search_tmp($1)
allow $1 arpwatch_tmp_t:file manage_file_perms;
')
@@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t;
type arpwatch_data_t, arpwatch_var_run_t;
- type arpwatch_initrc_exec_t;
')
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, arpwatch_t)
- init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+ arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
allow $2 system_r;
--
1.6.6.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100224/f0ee28c2/attachment.bin
^ permalink raw reply related [flat|nested] 4+ messages in thread* [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes.
2010-02-24 12:41 [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes Dominick Grift
@ 2010-03-04 14:23 ` Christopher J. PeBenito
2010-03-04 17:16 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-03-04 14:23 UTC (permalink / raw)
To: refpolicy
On Wed, 2010-02-24 at 13:41 +0100, Dominick Grift wrote:
> Allow domains to search /var/lib to enable interaction with arpwatch data.
> Allow domains to search /tmp to enable interaction with arpwatch tmp content.
> Create arpwatch initrc domtrans.
> Call arpwatch initrc domtrans from arpwatch_admin.
> Remove obsolete require.
Merged. Put arpwatch_initrc_exec_t back into the arpwatch_admin()
require, since it is explicitly used in the interface.
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 92e2dc8... 0c3e830... M policy/modules/services/arpwatch.if
> policy/modules/services/arpwatch.if | 25 +++++++++++++++++++++++--
> 1 files changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
> index 92e2dc8..0c3e830 100644
> --- a/policy/modules/services/arpwatch.if
> +++ b/policy/modules/services/arpwatch.if
> @@ -2,6 +2,24 @@
>
> ########################################
> ## <summary>
> +## Execute arpwatch server in the arpwatch domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`arpwatch_initrc_domtrans',`
> + gen_require(`
> + type arpwatch_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Search arpwatch's data file directories.
> ## </summary>
> ## <param name="domain">
> @@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
> type arpwatch_data_t;
> ')
>
> + files_search_var_lib($1)
> allow $1 arpwatch_data_t:dir search_dir_perms;
> ')
>
> @@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
> type arpwatch_data_t;
> ')
>
> + files_search_var_lib($1)
> manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
> ')
>
> @@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
> type arpwatch_tmp_t;
> ')
>
> + files_search_tmp($1)
> allow $1 arpwatch_tmp_t:file rw_file_perms;
> ')
>
> @@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
> type arpwatch_tmp_t;
> ')
>
> + files_search_tmp($1)
> allow $1 arpwatch_tmp_t:file manage_file_perms;
> ')
>
> @@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
> gen_require(`
> type arpwatch_t, arpwatch_tmp_t;
> type arpwatch_data_t, arpwatch_var_run_t;
> - type arpwatch_initrc_exec_t;
> ')
>
> allow $1 arpwatch_t:process { ptrace signal_perms getattr };
> ps_process_pattern($1, arpwatch_t)
>
> - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
> + arpwatch_initrc_domtrans($1)
> domain_system_change_exemption($1)
> role_transition $2 arpwatch_initrc_exec_t system_r;
> allow $2 system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 4+ messages in thread* [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes.
2010-03-04 14:23 ` Christopher J. PeBenito
@ 2010-03-04 17:16 ` Dominick Grift
2010-03-04 18:37 ` Christopher J. PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2010-03-04 17:16 UTC (permalink / raw)
To: refpolicy
On 03/04/2010 03:23 PM, Christopher J. PeBenito wrote:
> On Wed, 2010-02-24 at 13:41 +0100, Dominick Grift wrote:
>> Allow domains to search /var/lib to enable interaction with arpwatch data.
>> Allow domains to search /tmp to enable interaction with arpwatch tmp content.
>> Create arpwatch initrc domtrans.
>> Call arpwatch initrc domtrans from arpwatch_admin.
>> Remove obsolete require.
>
> Merged. Put arpwatch_initrc_exec_t back into the arpwatch_admin()
> require, since it is explicitly used in the interface.
But it is also a require in the interface.
So basically now its two times included in the arpwatch_admin.
I don't see what thats needed
if i for example call
files_read_etc_file(bla_t)
Then i dont have to also require type etc_t becuase the interface
already requires it..
>
>> Signed-off-by: Dominick Grift <domg472@gmail.com>
>> ---
>> :100644 100644 92e2dc8... 0c3e830... M policy/modules/services/arpwatch.if
>> policy/modules/services/arpwatch.if | 25 +++++++++++++++++++++++--
>> 1 files changed, 23 insertions(+), 2 deletions(-)
>>
>> diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
>> index 92e2dc8..0c3e830 100644
>> --- a/policy/modules/services/arpwatch.if
>> +++ b/policy/modules/services/arpwatch.if
>> @@ -2,6 +2,24 @@
>>
>> ########################################
>> ## <summary>
>> +## Execute arpwatch server in the arpwatch domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## The type of the process performing this action.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`arpwatch_initrc_domtrans',`
>> + gen_require(`
>> + type arpwatch_initrc_exec_t;
>> + ')
>> +
>> + init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Search arpwatch's data file directories.
>> ## </summary>
>> ## <param name="domain">
>> @@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
>> type arpwatch_data_t;
>> ')
>>
>> + files_search_var_lib($1)
>> allow $1 arpwatch_data_t:dir search_dir_perms;
>> ')
>>
>> @@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
>> type arpwatch_data_t;
>> ')
>>
>> + files_search_var_lib($1)
>> manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
>> ')
>>
>> @@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
>> type arpwatch_tmp_t;
>> ')
>>
>> + files_search_tmp($1)
>> allow $1 arpwatch_tmp_t:file rw_file_perms;
>> ')
>>
>> @@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
>> type arpwatch_tmp_t;
>> ')
>>
>> + files_search_tmp($1)
>> allow $1 arpwatch_tmp_t:file manage_file_perms;
>> ')
>>
>> @@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
>> gen_require(`
>> type arpwatch_t, arpwatch_tmp_t;
>> type arpwatch_data_t, arpwatch_var_run_t;
>> - type arpwatch_initrc_exec_t;
>> ')
>>
>> allow $1 arpwatch_t:process { ptrace signal_perms getattr };
>> ps_process_pattern($1, arpwatch_t)
>>
>> - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
>> + arpwatch_initrc_domtrans($1)
>> domain_system_change_exemption($1)
>> role_transition $2 arpwatch_initrc_exec_t system_r;
>> allow $2 system_r;
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100304/6c25a555/attachment-0001.bin
^ permalink raw reply [flat|nested] 4+ messages in thread* [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes.
2010-03-04 17:16 ` Dominick Grift
@ 2010-03-04 18:37 ` Christopher J. PeBenito
0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-03-04 18:37 UTC (permalink / raw)
To: refpolicy
On Thu, 2010-03-04 at 18:16 +0100, Dominick Grift wrote:
> On 03/04/2010 03:23 PM, Christopher J. PeBenito wrote:
> > On Wed, 2010-02-24 at 13:41 +0100, Dominick Grift wrote:
> >> Allow domains to search /var/lib to enable interaction with arpwatch data.
> >> Allow domains to search /tmp to enable interaction with arpwatch tmp content.
> >> Create arpwatch initrc domtrans.
> >> Call arpwatch initrc domtrans from arpwatch_admin.
> >> Remove obsolete require.
> >
> > Merged. Put arpwatch_initrc_exec_t back into the arpwatch_admin()
> > require, since it is explicitly used in the interface.
>
> But it is also a require in the interface.
>
> So basically now its two times included in the arpwatch_admin.
>
> I don't see what thats needed
>
> if i for example call
>
> files_read_etc_file(bla_t)
>
> Then i dont have to also require type etc_t becuase the interface
> already requires it..
The redundancy is fine. The type is used by the interface and an
interface it calls. Types should be required in all interfaces where
there is explicit usage. Relying on an another interface to specify
your requirements is fragile.
> >> Signed-off-by: Dominick Grift <domg472@gmail.com>
> >> ---
> >> :100644 100644 92e2dc8... 0c3e830... M policy/modules/services/arpwatch.if
> >> policy/modules/services/arpwatch.if | 25 +++++++++++++++++++++++--
> >> 1 files changed, 23 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
> >> index 92e2dc8..0c3e830 100644
> >> --- a/policy/modules/services/arpwatch.if
> >> +++ b/policy/modules/services/arpwatch.if
> >> @@ -2,6 +2,24 @@
> >>
> >> ########################################
> >> ## <summary>
> >> +## Execute arpwatch server in the arpwatch domain.
> >> +## </summary>
> >> +## <param name="domain">
> >> +## <summary>
> >> +## The type of the process performing this action.
> >> +## </summary>
> >> +## </param>
> >> +#
> >> +interface(`arpwatch_initrc_domtrans',`
> >> + gen_require(`
> >> + type arpwatch_initrc_exec_t;
> >> + ')
> >> +
> >> + init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
> >> +')
> >> +
> >> +########################################
> >> +## <summary>
> >> ## Search arpwatch's data file directories.
> >> ## </summary>
> >> ## <param name="domain">
> >> @@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
> >> type arpwatch_data_t;
> >> ')
> >>
> >> + files_search_var_lib($1)
> >> allow $1 arpwatch_data_t:dir search_dir_perms;
> >> ')
> >>
> >> @@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
> >> type arpwatch_data_t;
> >> ')
> >>
> >> + files_search_var_lib($1)
> >> manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
> >> ')
> >>
> >> @@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
> >> type arpwatch_tmp_t;
> >> ')
> >>
> >> + files_search_tmp($1)
> >> allow $1 arpwatch_tmp_t:file rw_file_perms;
> >> ')
> >>
> >> @@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
> >> type arpwatch_tmp_t;
> >> ')
> >>
> >> + files_search_tmp($1)
> >> allow $1 arpwatch_tmp_t:file manage_file_perms;
> >> ')
> >>
> >> @@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
> >> gen_require(`
> >> type arpwatch_t, arpwatch_tmp_t;
> >> type arpwatch_data_t, arpwatch_var_run_t;
> >> - type arpwatch_initrc_exec_t;
> >> ')
> >>
> >> allow $1 arpwatch_t:process { ptrace signal_perms getattr };
> >> ps_process_pattern($1, arpwatch_t)
> >>
> >> - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
> >> + arpwatch_initrc_domtrans($1)
> >> domain_system_change_exemption($1)
> >> role_transition $2 arpwatch_initrc_exec_t system_r;
> >> allow $2 system_r;
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-03-04 18:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-24 12:41 [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes Dominick Grift
2010-03-04 14:23 ` Christopher J. PeBenito
2010-03-04 17:16 ` Dominick Grift
2010-03-04 18:37 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.