From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 16 Dec 2011 10:29:46 -0500 Subject: [refpolicy] Any word on updating the base so we can start pushing fixes into contrib? In-Reply-To: <4EEA0AA0.9040901@redhat.com> References: <4EE79F37.3050806@redhat.com> <4EE7A12E.30203@tresys.com> <4EE7B685.1090300@redhat.com> <4EE9FC0C.6090009@tresys.com> <4EEA0AA0.9040901@redhat.com> Message-ID: <4EEB63EA.4090203@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/15/11 09:56, Daniel J Walsh wrote: > On 12/15/2011 08:54 AM, Christopher J. PeBenito wrote: >> On 12/13/11 15:33, Daniel J Walsh wrote: >>> On 12/13/2011 02:02 PM, Christopher J. PeBenito wrote: >>>> Which patch(es) are blocking that? >>> >>> Add new attributes to define a domain as an homedirreader or >>> homedirwriter. > >> I don't agree with the homedirreader and homedirwriter concepts. I >> think the appropriate way is to abstract all of this noxattr home >> dir access is to do this for all of the existing interfaces. I >> would have done this in the first place, if there wasn't the >> problem with nested conditionals. > >> So for example, take userdom_list_user_home_content. The ideal >> would be > >> interface(`userdom_list_user_home_content',` gen_require(` type >> user_home_t; ') > >> allow $1 user_home_t:dir list_dir_perms; > >> tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1) ') > >> tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1) ') >> ') > >> But since this would cause problems if calls to this interface were >> in a conditional, we couldn't do this. I'd be fine taking an >> attribute style implementation like you have in this patch, but it >> would have to be for all of the relevant existing interfaces. That >> should have the benefit of eliminating all of the use_nfs_home_dirs >> and use_samba_home_dirs strewn all over the policy. If you skip >> the relabel, filetrans, domtrans, and dontaudit interfaces, I came >> up with 19 interfaces. > > Are you doing these or do you want me to? I'm going to have to do more thinking about this. Instead of running into the nested conditionals problem, its going to run into the problem of type_attributes in conditionals. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com