From mboxrd@z Thu Jan 1 00:00:00 1970 From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 15 Dec 2011 09:56:32 -0500 Subject: [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? In-Reply-To: <4EE9FC0C.6090009@tresys.com> References: <4EE79F37.3050806@redhat.com> <4EE7A12E.30203@tresys.com> <4EE7B685.1090300@redhat.com> <4EE9FC0C.6090009@tresys.com> Message-ID: <4EEA0AA0.9040901@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/15/2011 08:54 AM, Christopher J. PeBenito wrote: > On 12/13/11 15:33, Daniel J Walsh wrote: >> On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: >>> Which patch(es) are blocking that? >> >> Add new attributes to define a domain as an homedirreader or >> homedirwriter. > > I don't agree with the homedirreader and homedirwriter concepts. I > think the appropriate way is to abstract all of this noxattr home > dir access is to do this for all of the existing interfaces. I > would have done this in the first place, if there wasn't the > problem with nested conditionals. > > So for example, take userdom_list_user_home_content. The ideal > would be > > interface(`userdom_list_user_home_content',` gen_require(` type > user_home_t; ') > > allow $1 user_home_t:dir list_dir_perms; > > tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1) ') > > tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1) ') > ') > > But since this would cause problems if calls to this interface were > in a conditional, we couldn't do this. I'd be fine taking an > attribute style implementation like you have in this patch, but it > would have to be for all of the relevant existing interfaces. That > should have the benefit of eliminating all of the use_nfs_home_dirs > and use_samba_home_dirs strewn all over the policy. If you skip > the relabel, filetrans, domtrans, and dontaudit interfaces, I came > up with 19 interfaces. > Are you doing these or do you want me to? > >> New Policy for sblim New policy for glance from fedora New policy >> for matahari > > I've merged these. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7qCqAACgkQrlYvE4MpobNCxwCgl1yQIHIXumA+SYy9XX1Nlt/v YhcAn1F6Hxv+O4+0fDSnoV6uQ00LutJ0 =Vr46 -----END PGP SIGNATURE-----