From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] This patch removes use of auth*files_except_auth_files in order to shrink size of policy.
Date: Fri, 9 Sep 2011 11:58:02 -0400 [thread overview]
Message-ID: <4E6A378A.9090309@tresys.com> (raw)
In-Reply-To: <4E57ADE0.7080908@redhat.com>
On 08/26/11 10:29, Daniel J Walsh wrote:
> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 633d2fc..8d62407 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
> # for installing kernel packages
> storage_raw_read_fixed_disk(dpkg_t)
>
> -auth_relabel_all_files_except_auth_files(dpkg_t)
> -auth_manage_all_files_except_auth_files(dpkg_t)
> +files_relabel_non_security_files(dpkg_t)
> +files_manage_non_security_files(dpkg_t)
> auth_dontaudit_read_shadow(dpkg_t)
>
> files_exec_etc_files(dpkg_t)
> @@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
>
> auth_dontaudit_getattr_shadow(dpkg_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_auth_files(dpkg_script_t)
> +files_manage_non_security_files(dpkg_script_t)
>
> init_domtrans_script(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 7d964bf..ba6e400 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
>
> term_list_ptys(rpm_t)
>
> -auth_relabel_all_files_except_auth_files(rpm_t)
> -auth_manage_all_files_except_auth_files(rpm_t)
> +files_relabel_all_files(rpm_t)
> +files_manage_all_files(rpm_t)
> auth_dontaudit_read_shadow(rpm_t)
> auth_use_nsswitch(rpm_t)
>
> @@ -304,8 +304,8 @@ term_use_all_terms(rpm_script_t)
> auth_dontaudit_getattr_shadow(rpm_script_t)
> auth_use_nsswitch(rpm_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_auth_files(rpm_script_t)
> -auth_relabel_shadow(rpm_script_t)
> +files_manage_all_files(rpm_script_t)
> +files_relabel_all_files(rpm_script_t)
>
> corecmd_exec_all_executables(rpm_script_t)
>
> diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
> index ebaff2f..de6b197 100644
> --- a/policy/modules/admin/sosreport.te
> +++ b/policy/modules/admin/sosreport.te
> @@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
>
> # some config files do not have configfile attribute
> # sosreport needs to read various files on system
> -auth_read_all_files_except_auth_files(sosreport_t)
> +files_read_non_security_files(sosreport_t)
> auth_use_nsswitch(sosreport_t)
>
> init_domtrans_script(sosreport_t)
> diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
> index 045fb86..a51a92d 100644
> --- a/policy/modules/admin/sxid.te
> +++ b/policy/modules/admin/sxid.te
> @@ -66,7 +66,7 @@ fs_list_all(sxid_t)
>
> term_dontaudit_use_console(sxid_t)
>
> -auth_read_all_files_except_auth_files(sxid_t)
> +files_read_non_security_files(sxid_t)
> auth_dontaudit_getattr_shadow(sxid_t)
>
> init_use_fds(sxid_t)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index deb24b4..225c263 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -663,12 +663,63 @@ interface(`files_read_non_security_files',`
> attribute non_security_file_type;
> ')
>
> + list_dirs_pattern($1, non_security_file_type, non_security_file_type)
> read_files_pattern($1, non_security_file_type, non_security_file_type)
> read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> ')
>
> ########################################
> ## <summary>
> +## Manage all non-security files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_manage_non_security_files',`
> + gen_require(`
> + attribute non_security_file_type;
> + ')
> +
> + manage_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> +')
> +
> +########################################
> +## <summary>
> +## Relabel all non-security files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabel_non_security_files',`
> + gen_require(`
> + attribute non_security_file_type;
> + ')
> +
> + relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> + allow $1 { non_security_file_type }:dir list_dir_perms;
> + relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +
> + # satisfy the assertions:
> + seutil_relabelto_bin_policy($1)
> +')
> +
> +########################################
> +## <summary>
> ## Read all directories on the filesystem, except
> ## the listed exceptions.
> ## </summary>
> @@ -2451,7 +2502,7 @@ interface(`files_read_etc_files',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -3945,7 +3996,7 @@ interface(`files_getattr_tmp_dirs',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -4017,7 +4068,7 @@ interface(`files_list_tmp',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain not to audit.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -4202,7 +4253,7 @@ interface(`files_relabel_all_tmp_dirs',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain not to audit.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -4262,7 +4313,7 @@ interface(`files_relabel_all_tmp_files',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain not to audit.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index eac9961..797f131 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -336,7 +336,7 @@ optional_policy(`
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> auth_read_all_dirs_except_auth_files(kernel_t)
> - auth_read_all_files_except_auth_files(kernel_t)
> + files_read_non_security_files(kernel_t)
> auth_read_all_symlinks_except_auth_files(kernel_t)
> ')
>
> @@ -346,7 +346,7 @@ optional_policy(`
> fs_read_noxattr_fs_files(kernel_t)
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> - auth_manage_all_files_except_auth_files(kernel_t)
> + files_manage_non_security_files(kernel_t)
> ')
> ')
>
> diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
> index 89ddeaa..4b5119b 100644
> --- a/policy/modules/roles/secadm.te
> +++ b/policy/modules/roles/secadm.te
> @@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
> mls_file_downgrade(secadm_t)
>
> auth_role(secadm_r, secadm_t)
> -auth_relabel_all_files_except_auth_files(secadm_t)
> +files_relabel_non_security_files(secadm_t)
> auth_relabel_shadow(secadm_t)
>
> init_exec(secadm_t)
> diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
> index 02ffdfb..69c2d2c 100644
> --- a/policy/modules/services/ftp.te
> +++ b/policy/modules/services/ftp.te
> @@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
>
> tunable_policy(`allow_ftpd_full_access',`
> allow ftpd_t self:capability { dac_override dac_read_search };
> - auth_manage_all_files_except_auth_files(ftpd_t)
> + files_manage_non_security_files(ftpd_t)
> ')
>
> tunable_policy(`ftp_home_dir',`
> @@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
> tunable_policy(`sftpd_full_access',`
> allow sftpd_t self:capability { dac_override dac_read_search };
> fs_read_noxattr_fs_files(sftpd_t)
> - auth_manage_all_files_except_auth_files(sftpd_t)
> + files_manage_non_security_files(sftpd_t)
> ')
>
> tunable_policy(`use_samba_home_dirs',`
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> index 941f6e1..68985da 100644
> --- a/policy/modules/services/puppet.te
> +++ b/policy/modules/services/puppet.te
> @@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
> sysnet_run_ifconfig(puppet_t, system_r)
>
> tunable_policy(`puppet_manage_all_files',`
> - auth_manage_all_files_except_auth_files(puppet_t)
> + files_manage_non_security_files(puppet_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
> index c537000..52ec13b 100644
> --- a/policy/modules/services/rgmanager.te
> +++ b/policy/modules/services/rgmanager.te
> @@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
> #term_use_ptmx(rgmanager_t)
>
> # needed by resources scripts
> -auth_read_all_files_except_auth_files(rgmanager_t)
> +files_read_non_security_files(rgmanager_t)
> auth_dontaudit_getattr_shadow(rgmanager_t)
> auth_use_nsswitch(rgmanager_t)
>
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index 62fca97..6c6d18b 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
> dev_getattr_all_chr_files(nfsd_t)
>
> fs_read_noxattr_fs_files(nfsd_t)
> - auth_manage_all_files_except_auth_files(nfsd_t)
> + files_manage_non_security_files(nfsd_t)
> ')
>
> tunable_policy(`nfs_export_all_ro',`
> @@ -171,7 +171,7 @@ tunable_policy(`nfs_export_all_ro',`
> fs_read_noxattr_fs_files(nfsd_t)
>
> auth_read_all_dirs_except_auth_files(nfsd_t)
> - auth_read_all_files_except_auth_files(nfsd_t)
> + files_read_non_security_files(nfsd_t)
> ')
>
> ########################################
> diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
> index 1c381e1..51cedbd 100644
> --- a/policy/modules/services/rsync.te
> +++ b/policy/modules/services/rsync.te
> @@ -126,7 +126,7 @@ tunable_policy(`rsync_export_all_ro',`
> fs_read_nfs_files(rsync_t)
> fs_read_cifs_files(rsync_t)
> auth_read_all_dirs_except_auth_files(rsync_t)
> - auth_read_all_files_except_auth_files(rsync_t)
> + files_read_non_security_files(rsync_t)
> auth_read_all_symlinks_except_auth_files(rsync_t)
> auth_tunable_read_shadow(rsync_t)
> ')
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index df830cf..d1f1a15 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -451,17 +451,17 @@ tunable_policy(`samba_create_home_dirs',`
> tunable_policy(`samba_export_all_ro',`
> fs_read_noxattr_fs_files(smbd_t)
> auth_read_all_dirs_except_auth_files(smbd_t)
> - auth_read_all_files_except_auth_files(smbd_t)
> + files_read_non_security_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> auth_read_all_dirs_except_auth_files(nmbd_t)
> - auth_read_all_files_except_auth_files(nmbd_t)
> + files_read_non_security_files(nmbd_t)
> ')
>
> tunable_policy(`samba_export_all_rw',`
> fs_read_noxattr_fs_files(smbd_t)
> - auth_manage_all_files_except_auth_files(smbd_t)
> + files_manage_non_security_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> - auth_manage_all_files_except_auth_files(nmbd_t)
> + files_manage_non_security_files(nmbd_t)
> userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
> ')
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 94e49e8..fd331b9 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -143,7 +143,7 @@ ifdef(`distro_ubuntu',`
>
> tunable_policy(`allow_mount_anyfile',`
> auth_read_all_dirs_except_auth_files(mount_t)
> - auth_read_all_files_except_auth_files(mount_t)
> + files_read_non_security_files(mount_t)
> files_mounton_non_security(mount_t)
> ')
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 508b206..52a5442 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -327,8 +327,8 @@ selinux_compute_create_context(restorecond_t)
> selinux_compute_relabel_context(restorecond_t)
> selinux_compute_user_contexts(restorecond_t)
>
> -auth_relabel_all_files_except_auth_files(restorecond_t )
> -auth_read_all_files_except_auth_files(restorecond_t)
> +files_relabel_non_security_files(restorecond_t )
> +files_read_non_security_files(restorecond_t)
> auth_use_nsswitch(restorecond_t)
>
> locallogin_dontaudit_use_fds(restorecond_t)
Generally speaking, I'm fine with this. However, I'm looking closely to make sure the new calls that are being made are the right ones.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2011-09-09 15:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-26 14:29 [refpolicy] This patch removes use of auth*files_except_auth_files in order to shrink size of policy Daniel J Walsh
2011-09-09 15:58 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E6A378A.9090309@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.