[refpolicy] Any word on updating the base so we can start pushing fixes into contrib?

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 12/13/11 15:33, Daniel J Walsh wrote:
> On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote:
>> Which patch(es) are blocking that?
> 
> Add new attributes to define a domain as an homedirreader or
> homedirwriter.

I don't agree with the homedirreader and homedirwriter concepts.  I think the appropriate way is to abstract all of this noxattr home dir access is to do this for all of the existing interfaces.  I would have done this in the first place, if there wasn't the problem with nested conditionals.

So for example, take userdom_list_user_home_content.  The ideal would be

interface(`userdom_list_user_home_content',`
        gen_require(`
                type user_home_t;
        ')

        allow $1 user_home_t:dir list_dir_perms;

        tunable_policy(`use_nfs_home_dirs',`
                fs_read_nfs_files($1)
        ')

        tunable_policy(`use_samba_home_dirs',`
                fs_read_cifs_files($1)
        ')
')

But since this would cause problems if calls to this interface were in a conditional, we couldn't do this.  I'd be fine taking an attribute style implementation like you have in this patch, but it would have to be for all of the relevant existing interfaces.  That should have the benefit of eliminating all of the use_nfs_home_dirs and use_samba_home_dirs strewn all over the policy.  If you skip the relabel, filetrans, domtrans, and dontaudit interfaces, I came up with 19 interfaces.


> New Policy for sblim
> New policy for glance from fedora
> New policy for matahari

I've merged these.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com