[refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-"

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-"
@ 2010-08-24 19:50 James Carter
  2010-08-25 13:05 ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2010-08-24 19:50 UTC (permalink / raw)
  To: refpolicy

The *_except interfaces expect the caller to call it like this:
files_read_all_dirs_except(foo_t, - bar_t)

This makes the call argument hard to deal with because it is neither a
type nor a set.  Also an argument like $2 -shadow_t could either be a
set or an MLS range.

The *_except interfaces are never used except for in the *_except_shadow
interfaces.  The calls to the *_except_shadow interfaces never specify a
second argument.

files_manage_all_files is called only in portage.te (with no exception)
and authlogin.if.

---
 policy/modules/kernel/files.if     |   92 +++++++++++++++++++++++++++++--------
 policy/modules/system/authlogin.if |   10 ++--
 2 files changed, 79 insertions(+), 23 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..9212dea 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
                attribute file_type;
        ')
 
-       allow $1 { file_type $2 }:dir list_dir_perms;
+       allow $1 { file_type - $2 }:dir list_dir_perms;
 ')
 
 ########################################
@@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
                attribute file_type;
        ')
 
-       read_files_pattern($1, { file_type $2 }, { file_type $2 })
+       read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 ')
 
 ########################################
@@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
                attribute file_type;
        ')
 
-       read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+       read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 ')
 
 ########################################
@@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
 
 ########################################
 ## <summary>
+##     Relabel all files on the filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the domain perfoming this action.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_files',`
+       gen_require(`
+               attribute file_type;
+       ')
+
+       allow $1 file_type : dir list_dir_perms;
+       relabel_dirs_pattern($1, file_type, file_type)
+       relabel_files_pattern($1, file_type, file_type)
+       relabel_lnk_files_pattern($1, file_type, file_type)
+       relabel_fifo_files_pattern($1, file_type, file_type)
+       relabel_sock_files_pattern($1, file_type, file_type)
+       relabelfrom_blk_files_pattern($1, file_type, file_type)
+       relabelfrom_chr_files_pattern($1, file_type, file_type)
+
+       # satisfy the assertions:
+       seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
 ##     Relabel all files on the filesystem, except
 ##     the listed exceptions.
 ## </summary>
@@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
 ## </param>
 ## <rolecap/>
 #
-interface(`files_relabel_all_files',`
+interface(`files_relabel_all_files_except',`
        gen_require(`
                attribute file_type;
        ')
 
-       allow $1 { file_type $2 }:dir list_dir_perms;
-       relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
-       relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
-       relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
-       relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
-       relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+       allow $1 { file_type - $2 }:dir list_dir_perms;
+       relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+       relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+       relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+       relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+       relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
        # this is only relabelfrom since there should be no
        # device nodes with file types.
-       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+       relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+       relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 
        # satisfy the assertions:
        seutil_relabelto_bin_policy($1)
@@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
 
 ########################################
 ## <summary>
+##     Manage all files on the filesystem.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the domain perfoming this action.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_files',`
+       gen_require(`
+               attribute file_type;
+       ')
+
+       manage_dirs_pattern($1, file_type, file_type)
+       manage_files_pattern($1, file_type, file_type)
+       manage_lnk_files_pattern($1, file_type, file_type)
+       manage_fifo_files_pattern($1, file_type, file_type)
+       manage_sock_files_pattern($1, file_type, file_type)
+
+       # satisfy the assertions:
+       seutil_create_bin_policy($1)
+       files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
 ##     Manage all files on the filesystem, except
 ##     the listed exceptions.
 ## </summary>
@@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
 ## </param>
 ## <rolecap/>
 #
-interface(`files_manage_all_files',`
+interface(`files_manage_all_files_except',`
        gen_require(`
                attribute file_type;
        ')
 
-       manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
-       manage_files_pattern($1, { file_type $2 }, { file_type $2 })
-       manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
-       manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
-       manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+       manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+       manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+       manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+       manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+       manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 
        # satisfy the assertions:
        seutil_create_bin_policy($1)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 7fddc24..c116df6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
                type shadow_t;
        ')
 
-       files_read_all_dirs_except($1,$2 -shadow_t)
+       files_read_all_dirs_except($1, shadow_t)
 ')
 
 ########################################
@@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
                type shadow_t;
        ')
 
-       files_read_all_files_except($1,$2 -shadow_t)
+       files_read_all_files_except($1, shadow_t)
 ')
 
 ########################################
@@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
                type shadow_t;
        ')
 
-       files_read_all_symlinks_except($1,$2 -shadow_t)
+       files_read_all_symlinks_except($1, shadow_t)
 ')
 
 ########################################
@@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
                type shadow_t;
        ')
 
-       files_relabel_all_files($1,$2 -shadow_t)
+       files_relabel_all_files_except($1, shadow_t)
 ')
 
 ########################################
@@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
                type shadow_t;
        ')
 
-       files_manage_all_files($1,$2 -shadow_t)
+       files_manage_all_files_except($1, shadow_t)
 ')
 
 ########################################

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-"
  2010-08-24 19:50 [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-" James Carter
@ 2010-08-25 13:05 ` Christopher J. PeBenito
  2010-08-25 14:19   ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2010-08-25 13:05 UTC (permalink / raw)
  To: refpolicy

On 08/24/10 15:50, James Carter wrote:
> The *_except interfaces expect the caller to call it like this:
> files_read_all_dirs_except(foo_t, - bar_t)
>
> This makes the call argument hard to deal with because it is neither a
> type nor a set.  Also an argument like $2 -shadow_t could either be a
> set or an MLS range.
>
> The *_except interfaces are never used except for in the *_except_shadow
> interfaces.  The calls to the *_except_shadow interfaces never specify a
> second argument.
>
> files_manage_all_files is called only in portage.te (with no exception)
> and authlogin.if.

Theres two issues with this change:

1. It breaks API stability.
2. It doesn't work if you want to specify a set, e.g.

files_read_all_dirs_except(foo_t, { bar_t baz_t })

> ---
>   policy/modules/kernel/files.if     |   92 +++++++++++++++++++++++++++++--------
>   policy/modules/system/authlogin.if |   10 ++--
>   2 files changed, 79 insertions(+), 23 deletions(-)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 5302dac..9212dea 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
>                  attribute file_type;
>          ')
>
> -       allow $1 { file_type $2 }:dir list_dir_perms;
> +       allow $1 { file_type - $2 }:dir list_dir_perms;
>   ')
>
>   ########################################
> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
>                  attribute file_type;
>          ')
>
> -       read_files_pattern($1, { file_type $2 }, { file_type $2 })
> +       read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>   ')
>
>   ########################################
> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
>                  attribute file_type;
>          ')
>
> -       read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> +       read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>   ')
>
>   ########################################
> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
>
>   ########################################
>   ##<summary>
> +##     Relabel all files on the filesystem
> +##</summary>
> +##<param name="domain">
> +##<summary>
> +##     The type of the domain perfoming this action.
> +##</summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`files_relabel_all_files',`
> +       gen_require(`
> +               attribute file_type;
> +       ')
> +
> +       allow $1 file_type : dir list_dir_perms;
> +       relabel_dirs_pattern($1, file_type, file_type)
> +       relabel_files_pattern($1, file_type, file_type)
> +       relabel_lnk_files_pattern($1, file_type, file_type)
> +       relabel_fifo_files_pattern($1, file_type, file_type)
> +       relabel_sock_files_pattern($1, file_type, file_type)
> +       relabelfrom_blk_files_pattern($1, file_type, file_type)
> +       relabelfrom_chr_files_pattern($1, file_type, file_type)
> +
> +       # satisfy the assertions:
> +       seutil_relabelto_bin_policy($1)
> +')
> +
> +########################################
> +##<summary>
>   ##     Relabel all files on the filesystem, except
>   ##     the listed exceptions.
>   ##</summary>
> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
>   ##</param>
>   ##<rolecap/>
>   #
> -interface(`files_relabel_all_files',`
> +interface(`files_relabel_all_files_except',`
>          gen_require(`
>                  attribute file_type;
>          ')
>
> -       allow $1 { file_type $2 }:dir list_dir_perms;
> -       relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> -       relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> -       relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> -       relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> -       relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> +       allow $1 { file_type - $2 }:dir list_dir_perms;
> +       relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>          # this is only relabelfrom since there should be no
>          # device nodes with file types.
> -       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> -       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> +       relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>
>          # satisfy the assertions:
>          seutil_relabelto_bin_policy($1)
> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
>
>   ########################################
>   ##<summary>
> +##     Manage all files on the filesystem.
> +##</summary>
> +##<param name="domain">
> +##<summary>
> +##     The type of the domain perfoming this action.
> +##</summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`files_manage_all_files',`
> +       gen_require(`
> +               attribute file_type;
> +       ')
> +
> +       manage_dirs_pattern($1, file_type, file_type)
> +       manage_files_pattern($1, file_type, file_type)
> +       manage_lnk_files_pattern($1, file_type, file_type)
> +       manage_fifo_files_pattern($1, file_type, file_type)
> +       manage_sock_files_pattern($1, file_type, file_type)
> +
> +       # satisfy the assertions:
> +       seutil_create_bin_policy($1)
> +       files_manage_kernel_modules($1)
> +')
> +
> +########################################
> +##<summary>
>   ##     Manage all files on the filesystem, except
>   ##     the listed exceptions.
>   ##</summary>
> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
>   ##</param>
>   ##<rolecap/>
>   #
> -interface(`files_manage_all_files',`
> +interface(`files_manage_all_files_except',`
>          gen_require(`
>                  attribute file_type;
>          ')
>
> -       manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> -       manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> -       manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> -       manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> -       manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> +       manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> +       manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>
>          # satisfy the assertions:
>          seutil_create_bin_policy($1)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 7fddc24..c116df6 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
>                  type shadow_t;
>          ')
>
> -       files_read_all_dirs_except($1,$2 -shadow_t)
> +       files_read_all_dirs_except($1, shadow_t)
>   ')
>
>   ########################################
> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
>                  type shadow_t;
>          ')
>
> -       files_read_all_files_except($1,$2 -shadow_t)
> +       files_read_all_files_except($1, shadow_t)
>   ')
>
>   ########################################
> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
>                  type shadow_t;
>          ')
>
> -       files_read_all_symlinks_except($1,$2 -shadow_t)
> +       files_read_all_symlinks_except($1, shadow_t)
>   ')
>
>   ########################################
> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
>                  type shadow_t;
>          ')
>
> -       files_relabel_all_files($1,$2 -shadow_t)
> +       files_relabel_all_files_except($1, shadow_t)
>   ')
>
>   ########################################
> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
>                  type shadow_t;
>          ')
>
> -       files_manage_all_files($1,$2 -shadow_t)
> +       files_manage_all_files_except($1, shadow_t)
>   ')
>
>   ########################################
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-"
  2010-08-25 13:05 ` Christopher J. PeBenito
@ 2010-08-25 14:19   ` James Carter
  2010-08-25 15:56     ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2010-08-25 14:19 UTC (permalink / raw)
  To: refpolicy

On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > The *_except interfaces expect the caller to call it like this:
> > files_read_all_dirs_except(foo_t, - bar_t)
> >
> > This makes the call argument hard to deal with because it is neither a
> > type nor a set.  Also an argument like $2 -shadow_t could either be a
> > set or an MLS range.
> >
> > The *_except interfaces are never used except for in the *_except_shadow
> > interfaces.  The calls to the *_except_shadow interfaces never specify a
> > second argument.
> >
> > files_manage_all_files is called only in portage.te (with no exception)
> > and authlogin.if.
> 
> Theres two issues with this change:
> 
> 1. It breaks API stability.

That may be true, but the current interface makes no sense to me.  If I
use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
access to file_type and bar_t.  It doesn't exclude anything.

> 2. It doesn't work if you want to specify a set, e.g.
> 
> files_read_all_dirs_except(foo_t, { bar_t baz_t })
> 
Why doesn't that work?  Doesn't that give 
{ file_type - { bar_t baz_t } }?

Again, if you don't like the changes, that's fine.  It is just something
that will have to be worked around.  Any changes that you do accept just
makes life a easier.

> > ---
> >   policy/modules/kernel/files.if     |   92 +++++++++++++++++++++++++++++--------
> >   policy/modules/system/authlogin.if |   10 ++--
> >   2 files changed, 79 insertions(+), 23 deletions(-)
> >
> > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> > index 5302dac..9212dea 100644
> > --- a/policy/modules/kernel/files.if
> > +++ b/policy/modules/kernel/files.if
> > @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> >                  attribute file_type;
> >          ')
> >
> > -       allow $1 { file_type $2 }:dir list_dir_perms;
> > +       allow $1 { file_type - $2 }:dir list_dir_perms;
> >   ')
> >
> >   ########################################
> > @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> >                  attribute file_type;
> >          ')
> >
> > -       read_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >   ')
> >
> >   ########################################
> > @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> >                  attribute file_type;
> >          ')
> >
> > -       read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >   ')
> >
> >   ########################################
> > @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >
> >   ########################################
> >   ##<summary>
> > +##     Relabel all files on the filesystem
> > +##</summary>
> > +##<param name="domain">
> > +##<summary>
> > +##     The type of the domain perfoming this action.
> > +##</summary>
> > +##</param>
> > +##<rolecap/>
> > +#
> > +interface(`files_relabel_all_files',`
> > +       gen_require(`
> > +               attribute file_type;
> > +       ')
> > +
> > +       allow $1 file_type : dir list_dir_perms;
> > +       relabel_dirs_pattern($1, file_type, file_type)
> > +       relabel_files_pattern($1, file_type, file_type)
> > +       relabel_lnk_files_pattern($1, file_type, file_type)
> > +       relabel_fifo_files_pattern($1, file_type, file_type)
> > +       relabel_sock_files_pattern($1, file_type, file_type)
> > +       relabelfrom_blk_files_pattern($1, file_type, file_type)
> > +       relabelfrom_chr_files_pattern($1, file_type, file_type)
> > +
> > +       # satisfy the assertions:
> > +       seutil_relabelto_bin_policy($1)
> > +')
> > +
> > +########################################
> > +##<summary>
> >   ##     Relabel all files on the filesystem, except
> >   ##     the listed exceptions.
> >   ##</summary>
> > @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> >   ##</param>
> >   ##<rolecap/>
> >   #
> > -interface(`files_relabel_all_files',`
> > +interface(`files_relabel_all_files_except',`
> >          gen_require(`
> >                  attribute file_type;
> >          ')
> >
> > -       allow $1 { file_type $2 }:dir list_dir_perms;
> > -       relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       allow $1 { file_type - $2 }:dir list_dir_perms;
> > +       relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >          # this is only relabelfrom since there should be no
> >          # device nodes with file types.
> > -       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> >          # satisfy the assertions:
> >          seutil_relabelto_bin_policy($1)
> > @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >
> >   ########################################
> >   ##<summary>
> > +##     Manage all files on the filesystem.
> > +##</summary>
> > +##<param name="domain">
> > +##<summary>
> > +##     The type of the domain perfoming this action.
> > +##</summary>
> > +##</param>
> > +##<rolecap/>
> > +#
> > +interface(`files_manage_all_files',`
> > +       gen_require(`
> > +               attribute file_type;
> > +       ')
> > +
> > +       manage_dirs_pattern($1, file_type, file_type)
> > +       manage_files_pattern($1, file_type, file_type)
> > +       manage_lnk_files_pattern($1, file_type, file_type)
> > +       manage_fifo_files_pattern($1, file_type, file_type)
> > +       manage_sock_files_pattern($1, file_type, file_type)
> > +
> > +       # satisfy the assertions:
> > +       seutil_create_bin_policy($1)
> > +       files_manage_kernel_modules($1)
> > +')
> > +
> > +########################################
> > +##<summary>
> >   ##     Manage all files on the filesystem, except
> >   ##     the listed exceptions.
> >   ##</summary>
> > @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> >   ##</param>
> >   ##<rolecap/>
> >   #
> > -interface(`files_manage_all_files',`
> > +interface(`files_manage_all_files_except',`
> >          gen_require(`
> >                  attribute file_type;
> >          ')
> >
> > -       manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> >          # satisfy the assertions:
> >          seutil_create_bin_policy($1)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index 7fddc24..c116df6 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_read_all_dirs_except($1,$2 -shadow_t)
> > +       files_read_all_dirs_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_read_all_files_except($1,$2 -shadow_t)
> > +       files_read_all_files_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_read_all_symlinks_except($1,$2 -shadow_t)
> > +       files_read_all_symlinks_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_relabel_all_files($1,$2 -shadow_t)
> > +       files_relabel_all_files_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_manage_all_files($1,$2 -shadow_t)
> > +       files_manage_all_files_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> >
> 
> 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-"
  2010-08-25 14:19   ` James Carter
@ 2010-08-25 15:56     ` Christopher J. PeBenito
  2010-08-25 17:10       ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2010-08-25 15:56 UTC (permalink / raw)
  To: refpolicy

On 08/25/10 10:19, James Carter wrote:
> On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
>> On 08/24/10 15:50, James Carter wrote:
>>> The *_except interfaces expect the caller to call it like this:
>>> files_read_all_dirs_except(foo_t, - bar_t)
>>>
>>> This makes the call argument hard to deal with because it is neither a
>>> type nor a set.  Also an argument like $2 -shadow_t could either be a
>>> set or an MLS range.
>>>
>>> The *_except interfaces are never used except for in the *_except_shadow
>>> interfaces.  The calls to the *_except_shadow interfaces never specify a
>>> second argument.
>>>
>>> files_manage_all_files is called only in portage.te (with no exception)
>>> and authlogin.if.
>>
>> Theres two issues with this change:
>>
>> 1. It breaks API stability.
>
> That may be true, but the current interface makes no sense to me.  If I
> use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> access to file_type and bar_t.  It doesn't exclude anything.
>
>> 2. It doesn't work if you want to specify a set, e.g.
>>
>> files_read_all_dirs_except(foo_t, { bar_t baz_t })
>>
> Why doesn't that work?  Doesn't that give
> { file_type - { bar_t baz_t } }?

I didn't think that was valid.  Is it?

> Again, if you don't like the changes, that's fine.  It is just something
> that will have to be worked around.  Any changes that you do accept just
> makes life a easier.

I'd like to get rid of the interfaces completely.  I just haven't come 
up with a better way of getting { files_type -shadow_t } without 
breaking encapsulation.  Perhaps we just have to rethink the access or 
concept.

>>> ---
>>>    policy/modules/kernel/files.if     |   92 +++++++++++++++++++++++++++++--------
>>>    policy/modules/system/authlogin.if |   10 ++--
>>>    2 files changed, 79 insertions(+), 23 deletions(-)
>>>
>>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
>>> index 5302dac..9212dea 100644
>>> --- a/policy/modules/kernel/files.if
>>> +++ b/policy/modules/kernel/files.if
>>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
>>>                   attribute file_type;
>>>           ')
>>>
>>> -       allow $1 { file_type $2 }:dir list_dir_perms;
>>> +       allow $1 { file_type - $2 }:dir list_dir_perms;
>>>    ')
>>>
>>>    ########################################
>>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
>>>                   attribute file_type;
>>>           ')
>>>
>>> -       read_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> +       read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>    ')
>>>
>>>    ########################################
>>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
>>>                   attribute file_type;
>>>           ')
>>>
>>> -       read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> +       read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>    ')
>>>
>>>    ########################################
>>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
>>>
>>>    ########################################
>>>    ##<summary>
>>> +##     Relabel all files on the filesystem
>>> +##</summary>
>>> +##<param name="domain">
>>> +##<summary>
>>> +##     The type of the domain perfoming this action.
>>> +##</summary>
>>> +##</param>
>>> +##<rolecap/>
>>> +#
>>> +interface(`files_relabel_all_files',`
>>> +       gen_require(`
>>> +               attribute file_type;
>>> +       ')
>>> +
>>> +       allow $1 file_type : dir list_dir_perms;
>>> +       relabel_dirs_pattern($1, file_type, file_type)
>>> +       relabel_files_pattern($1, file_type, file_type)
>>> +       relabel_lnk_files_pattern($1, file_type, file_type)
>>> +       relabel_fifo_files_pattern($1, file_type, file_type)
>>> +       relabel_sock_files_pattern($1, file_type, file_type)
>>> +       relabelfrom_blk_files_pattern($1, file_type, file_type)
>>> +       relabelfrom_chr_files_pattern($1, file_type, file_type)
>>> +
>>> +       # satisfy the assertions:
>>> +       seutil_relabelto_bin_policy($1)
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>>    ##     Relabel all files on the filesystem, except
>>>    ##     the listed exceptions.
>>>    ##</summary>
>>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
>>>    ##</param>
>>>    ##<rolecap/>
>>>    #
>>> -interface(`files_relabel_all_files',`
>>> +interface(`files_relabel_all_files_except',`
>>>           gen_require(`
>>>                   attribute file_type;
>>>           ')
>>>
>>> -       allow $1 { file_type $2 }:dir list_dir_perms;
>>> -       relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> +       allow $1 { file_type - $2 }:dir list_dir_perms;
>>> +       relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>           # this is only relabelfrom since there should be no
>>>           # device nodes with file types.
>>> -       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> +       relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>>           # satisfy the assertions:
>>>           seutil_relabelto_bin_policy($1)
>>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
>>>
>>>    ########################################
>>>    ##<summary>
>>> +##     Manage all files on the filesystem.
>>> +##</summary>
>>> +##<param name="domain">
>>> +##<summary>
>>> +##     The type of the domain perfoming this action.
>>> +##</summary>
>>> +##</param>
>>> +##<rolecap/>
>>> +#
>>> +interface(`files_manage_all_files',`
>>> +       gen_require(`
>>> +               attribute file_type;
>>> +       ')
>>> +
>>> +       manage_dirs_pattern($1, file_type, file_type)
>>> +       manage_files_pattern($1, file_type, file_type)
>>> +       manage_lnk_files_pattern($1, file_type, file_type)
>>> +       manage_fifo_files_pattern($1, file_type, file_type)
>>> +       manage_sock_files_pattern($1, file_type, file_type)
>>> +
>>> +       # satisfy the assertions:
>>> +       seutil_create_bin_policy($1)
>>> +       files_manage_kernel_modules($1)
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>>    ##     Manage all files on the filesystem, except
>>>    ##     the listed exceptions.
>>>    ##</summary>
>>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
>>>    ##</param>
>>>    ##<rolecap/>
>>>    #
>>> -interface(`files_manage_all_files',`
>>> +interface(`files_manage_all_files_except',`
>>>           gen_require(`
>>>                   attribute file_type;
>>>           ')
>>>
>>> -       manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       manage_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> -       manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> +       manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> +       manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>>           # satisfy the assertions:
>>>           seutil_create_bin_policy($1)
>>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
>>> index 7fddc24..c116df6 100644
>>> --- a/policy/modules/system/authlogin.if
>>> +++ b/policy/modules/system/authlogin.if
>>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
>>>                   type shadow_t;
>>>           ')
>>>
>>> -       files_read_all_dirs_except($1,$2 -shadow_t)
>>> +       files_read_all_dirs_except($1, shadow_t)
>>>    ')
>>>
>>>    ########################################
>>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
>>>                   type shadow_t;
>>>           ')
>>>
>>> -       files_read_all_files_except($1,$2 -shadow_t)
>>> +       files_read_all_files_except($1, shadow_t)
>>>    ')
>>>
>>>    ########################################
>>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
>>>                   type shadow_t;
>>>           ')
>>>
>>> -       files_read_all_symlinks_except($1,$2 -shadow_t)
>>> +       files_read_all_symlinks_except($1, shadow_t)
>>>    ')
>>>
>>>    ########################################
>>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
>>>                   type shadow_t;
>>>           ')
>>>
>>> -       files_relabel_all_files($1,$2 -shadow_t)
>>> +       files_relabel_all_files_except($1, shadow_t)
>>>    ')
>>>
>>>    ########################################
>>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
>>>                   type shadow_t;
>>>           ')
>>>
>>> -       files_manage_all_files($1,$2 -shadow_t)
>>> +       files_manage_all_files_except($1, shadow_t)
>>>    ')
>>>
>>>    ########################################
>>>
>>
>>
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-"
  2010-08-25 15:56     ` Christopher J. PeBenito
@ 2010-08-25 17:10       ` James Carter
  0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2010-08-25 17:10 UTC (permalink / raw)
  To: refpolicy

On Wed, 2010-08-25 at 11:56 -0400, Christopher J. PeBenito wrote:
> On 08/25/10 10:19, James Carter wrote:
> > On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> >> On 08/24/10 15:50, James Carter wrote:
> >>> The *_except interfaces expect the caller to call it like this:
> >>> files_read_all_dirs_except(foo_t, - bar_t)
> >>>
> >>> This makes the call argument hard to deal with because it is neither a
> >>> type nor a set.  Also an argument like $2 -shadow_t could either be a
> >>> set or an MLS range.
> >>>
> >>> The *_except interfaces are never used except for in the *_except_shadow
> >>> interfaces.  The calls to the *_except_shadow interfaces never specify a
> >>> second argument.
> >>>
> >>> files_manage_all_files is called only in portage.te (with no exception)
> >>> and authlogin.if.
> >>
> >> Theres two issues with this change:
> >>
> >> 1. It breaks API stability.
> >
> > That may be true, but the current interface makes no sense to me.  If I
> > use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> > access to file_type and bar_t.  It doesn't exclude anything.
> >
> >> 2. It doesn't work if you want to specify a set, e.g.
> >>
> >> files_read_all_dirs_except(foo_t, { bar_t baz_t })
> >>
> > Why doesn't that work?  Doesn't that give
> > { file_type - { bar_t baz_t } }?
> 
> I didn't think that was valid.  Is it?

You're right.  It's not valid.  I didn't realize the set expressions
were that limited.  And I went through all that trouble making sure that
my parser could handle arbitrary set expressions.

> 
> > Again, if you don't like the changes, that's fine.  It is just something
> > that will have to be worked around.  Any changes that you do accept just
> > makes life a easier.
> 
> I'd like to get rid of the interfaces completely.  I just haven't come 
> up with a better way of getting { files_type -shadow_t } without 
> breaking encapsulation.  Perhaps we just have to rethink the access or 
> concept.
> 

The interfaces are only used in Refpolicy for shadow_t.  If special
interfaces could be made for shadow_t, while retaining the old ones for
compatibility, then at least Refpolicy itself would not have "-shadow_t"
as an argument.  That would help a bunch.

> >>> ---
> >>>    policy/modules/kernel/files.if     |   92 +++++++++++++++++++++++++++++--------
> >>>    policy/modules/system/authlogin.if |   10 ++--
> >>>    2 files changed, 79 insertions(+), 23 deletions(-)
> >>>
> >>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> >>> index 5302dac..9212dea 100644
> >>> --- a/policy/modules/kernel/files.if
> >>> +++ b/policy/modules/kernel/files.if
> >>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       allow $1 { file_type $2 }:dir list_dir_perms;
> >>> +       allow $1 { file_type - $2 }:dir list_dir_perms;
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       read_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >>>
> >>>    ########################################
> >>>    ##<summary>
> >>> +##     Relabel all files on the filesystem
> >>> +##</summary>
> >>> +##<param name="domain">
> >>> +##<summary>
> >>> +##     The type of the domain perfoming this action.
> >>> +##</summary>
> >>> +##</param>
> >>> +##<rolecap/>
> >>> +#
> >>> +interface(`files_relabel_all_files',`
> >>> +       gen_require(`
> >>> +               attribute file_type;
> >>> +       ')
> >>> +
> >>> +       allow $1 file_type : dir list_dir_perms;
> >>> +       relabel_dirs_pattern($1, file_type, file_type)
> >>> +       relabel_files_pattern($1, file_type, file_type)
> >>> +       relabel_lnk_files_pattern($1, file_type, file_type)
> >>> +       relabel_fifo_files_pattern($1, file_type, file_type)
> >>> +       relabel_sock_files_pattern($1, file_type, file_type)
> >>> +       relabelfrom_blk_files_pattern($1, file_type, file_type)
> >>> +       relabelfrom_chr_files_pattern($1, file_type, file_type)
> >>> +
> >>> +       # satisfy the assertions:
> >>> +       seutil_relabelto_bin_policy($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##<summary>
> >>>    ##     Relabel all files on the filesystem, except
> >>>    ##     the listed exceptions.
> >>>    ##</summary>
> >>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> >>>    ##</param>
> >>>    ##<rolecap/>
> >>>    #
> >>> -interface(`files_relabel_all_files',`
> >>> +interface(`files_relabel_all_files_except',`
> >>>           gen_require(`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       allow $1 { file_type $2 }:dir list_dir_perms;
> >>> -       relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       allow $1 { file_type - $2 }:dir list_dir_perms;
> >>> +       relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>           # this is only relabelfrom since there should be no
> >>>           # device nodes with file types.
> >>> -       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>>           # satisfy the assertions:
> >>>           seutil_relabelto_bin_policy($1)
> >>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >>>
> >>>    ########################################
> >>>    ##<summary>
> >>> +##     Manage all files on the filesystem.
> >>> +##</summary>
> >>> +##<param name="domain">
> >>> +##<summary>
> >>> +##     The type of the domain perfoming this action.
> >>> +##</summary>
> >>> +##</param>
> >>> +##<rolecap/>
> >>> +#
> >>> +interface(`files_manage_all_files',`
> >>> +       gen_require(`
> >>> +               attribute file_type;
> >>> +       ')
> >>> +
> >>> +       manage_dirs_pattern($1, file_type, file_type)
> >>> +       manage_files_pattern($1, file_type, file_type)
> >>> +       manage_lnk_files_pattern($1, file_type, file_type)
> >>> +       manage_fifo_files_pattern($1, file_type, file_type)
> >>> +       manage_sock_files_pattern($1, file_type, file_type)
> >>> +
> >>> +       # satisfy the assertions:
> >>> +       seutil_create_bin_policy($1)
> >>> +       files_manage_kernel_modules($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##<summary>
> >>>    ##     Manage all files on the filesystem, except
> >>>    ##     the listed exceptions.
> >>>    ##</summary>
> >>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> >>>    ##</param>
> >>>    ##<rolecap/>
> >>>    #
> >>> -interface(`files_manage_all_files',`
> >>> +interface(`files_manage_all_files_except',`
> >>>           gen_require(`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>>           # satisfy the assertions:
> >>>           seutil_create_bin_policy($1)
> >>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> >>> index 7fddc24..c116df6 100644
> >>> --- a/policy/modules/system/authlogin.if
> >>> +++ b/policy/modules/system/authlogin.if
> >>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_read_all_dirs_except($1,$2 -shadow_t)
> >>> +       files_read_all_dirs_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_read_all_files_except($1,$2 -shadow_t)
> >>> +       files_read_all_files_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_read_all_symlinks_except($1,$2 -shadow_t)
> >>> +       files_read_all_symlinks_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_relabel_all_files($1,$2 -shadow_t)
> >>> +       files_relabel_all_files_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_manage_all_files($1,$2 -shadow_t)
> >>> +       files_manage_all_files_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>>
> >>
> >>
> >
> 
> 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-08-25 17:10 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-24 19:50 [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-" James Carter
2010-08-25 13:05 ` Christopher J. PeBenito
2010-08-25 14:19   ` James Carter
2010-08-25 15:56     ` Christopher J. PeBenito
2010-08-25 17:10       ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.