From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 15 Dec 2011 08:54:20 -0500 Subject: [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? In-Reply-To: <4EE7B685.1090300@redhat.com> References: <4EE79F37.3050806@redhat.com> <4EE7A12E.30203@tresys.com> <4EE7B685.1090300@redhat.com> Message-ID: <4EE9FC0C.6090009@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/13/11 15:33, Daniel J Walsh wrote: > On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: >> Which patch(es) are blocking that? > > Add new attributes to define a domain as an homedirreader or > homedirwriter. I don't agree with the homedirreader and homedirwriter concepts. I think the appropriate way is to abstract all of this noxattr home dir access is to do this for all of the existing interfaces. I would have done this in the first place, if there wasn't the problem with nested conditionals. So for example, take userdom_list_user_home_content. The ideal would be interface(`userdom_list_user_home_content',` gen_require(` type user_home_t; ') allow $1 user_home_t:dir list_dir_perms; tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1) ') ') But since this would cause problems if calls to this interface were in a conditional, we couldn't do this. I'd be fine taking an attribute style implementation like you have in this patch, but it would have to be for all of the relevant existing interfaces. That should have the benefit of eliminating all of the use_nfs_home_dirs and use_samba_home_dirs strewn all over the policy. If you skip the relabel, filetrans, domtrans, and dontaudit interfaces, I came up with 19 interfaces. > New Policy for sblim > New policy for glance from fedora > New policy for matahari I've merged these. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com