From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Interfaces in refpolicy.
Date: Mon, 07 Jan 2013 09:46:51 -0500 [thread overview]
Message-ID: <50EADFDB.5040507@redhat.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We were have a side talk between Miroslav, Dominick and me about interfaces.
Dominick has merged lots of new policy from Fedora in to the contrib directory
of refpolicy but he has been only including the interfaces that are actually
used. This has been the traditional way Chris has accepted interfaces into
the upstream project. (Other then _admin and _domtrans). This is causing
Miroslav problems merging in the lastest upstream back into Fedora, since
Fedora has many interfaces defined that other domains are not currently using.
I believe that we should have a standard that each file type defined in a policy.
For example
getattr_dir
read_dir
getattr_file
read_file
rw_inherited_file
manage_file
The current mechanism where we don't have a comprehensive list can cause two
problems for policy writers.
First it makes the chance of users/policy writers adding gen_require blocks
greatly increase
gen_require(`
type foobar_t;
')
which breaks the separation model that interfaces were built to fix.
Secondly audit2allow -R will return a looser policy. For example if your
domain needs to read foobar_var_lib_t, but only foobar_manage_var_lib_t exists,
audit2allow -R will return foobar_manage_var_lib(mydomain_t) and users are
likely to grab it.
sepolicy generate (sepolgen) Always generates a group of interfaces for each
type, and I believe we should add all these interfaces to upstream whether or
not other domains currently use the interface. If we define a standard group
of interfaces required for each type, then we could go through the policy and
add all the interfaces and make tools that help in generation of policy always
create the correct interface.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDq39oACgkQrlYvE4MpobNjwQCeLUBlFyjjFOBL1VYk2nfRnXS5
qh8An2qljCyKYIMxzMO02V8QGa+skpE6
=saxm
-----END PGP SIGNATURE-----
next reply other threads:[~2013-01-07 14:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-07 14:46 Daniel J Walsh [this message]
2013-01-07 15:09 ` [refpolicy] Interfaces in refpolicy Christopher J. PeBenito
2013-01-07 16:25 ` Dominick Grift
2013-01-07 16:35 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50EADFDB.5040507@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.