[refpolicy] Want to make typeattribute declarations possible in conditionals

From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Want to make typeattribute declarations possible in conditionals
Date: Tue, 23 Jul 2013 09:13:15 -0400	[thread overview]
Message-ID: <51EE816B.8080406@redhat.com> (raw)
In-Reply-To: <20130723122207.GA21664@siphos.be>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/23/2013 08:22 AM, Sven Vermeulen wrote:
> Hi all,
> 
> I would like to be able to assign attributes to types in a conditional 
> statement. Right now, this isn't allowed, and I don't know if it is
> feasible to look for a solution to this or not. Is this a real design
> constraint that will be hard to work around, or is this doable?
> 
> Alternatives that I see are: - making the assignations part of separate,
> small SELinux modules that users can unload/load - using interfaces that
> assign the permissions to the given domain, and use this interface against
> the attribute. This will probably result in two interfaces, foo_domain() to
> assign the attribute (for non-tunable usage) and foo_domain_privileges() to
> assign the rights (for tunable usage) - naming convention notwithstanding
> here. - decouple the requirement from the policy and let administrators do
> this
> 
> The last approach means that the policy doesn't include the definitions 
> anymore, instead providing a method (in the SELinux userspace utilities or 
> distribution-specific) to assign attributes.
> 
> For instance (mock-up):
> 
> ~# semanage attribute -a -t mailserver_domain portage_t
> 
> This would then create (or maintain) a small module that does the
> necessary declarations, like "typeattribute portage_t mailserver_domain".
> 
> What is your opinion on this? Weird request?
> 
> Wkr, Sven Vermeulen
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 

I think it is fairly difficult, and I like the idea of enabling and disabling
modules to handle this.  In Fedora we currently disable the unconfined module
which removes the domain_unconfined_type attribute from lots of domains.

We have done similar things with other domains. (Network stuff).

We probably should have a naming convention for this to make it easy to find
and potentially display them in a gui.

MODULE_tunable.pp  Or something like that, then we could enable or disable the
tunable to take away certain attributes.

NFSHOMEDIR_tunable.pp
CIFSHOMEDIR_tunable.pp
FUSEFSHOMEDIR_tunable.pp

For example.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHugWoACgkQrlYvE4MpobNW3QCg50PxfJPCXRx9PK1hGnctV7Hg
NdIAoLTI3dfju8zOZ62aH3kPRZrArLP5
=m8MN
-----END PGP SIGNATURE-----