From mboxrd@z Thu Jan 1 00:00:00 1970 From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 23 Jul 2013 09:13:15 -0400 Subject: [refpolicy] Want to make typeattribute declarations possible in conditionals In-Reply-To: <20130723122207.GA21664@siphos.be> References: <20130723122207.GA21664@siphos.be> Message-ID: <51EE816B.8080406@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/23/2013 08:22 AM, Sven Vermeulen wrote: > Hi all, > > I would like to be able to assign attributes to types in a conditional > statement. Right now, this isn't allowed, and I don't know if it is > feasible to look for a solution to this or not. Is this a real design > constraint that will be hard to work around, or is this doable? > > Alternatives that I see are: - making the assignations part of separate, > small SELinux modules that users can unload/load - using interfaces that > assign the permissions to the given domain, and use this interface against > the attribute. This will probably result in two interfaces, foo_domain() to > assign the attribute (for non-tunable usage) and foo_domain_privileges() to > assign the rights (for tunable usage) - naming convention notwithstanding > here. - decouple the requirement from the policy and let administrators do > this > > The last approach means that the policy doesn't include the definitions > anymore, instead providing a method (in the SELinux userspace utilities or > distribution-specific) to assign attributes. > > For instance (mock-up): > > ~# semanage attribute -a -t mailserver_domain portage_t > > This would then create (or maintain) a small module that does the > necessary declarations, like "typeattribute portage_t mailserver_domain". > > What is your opinion on this? Weird request? > > Wkr, Sven Vermeulen > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > I think it is fairly difficult, and I like the idea of enabling and disabling modules to handle this. In Fedora we currently disable the unconfined module which removes the domain_unconfined_type attribute from lots of domains. We have done similar things with other domains. (Network stuff). We probably should have a naming convention for this to make it easy to find and potentially display them in a gui. MODULE_tunable.pp Or something like that, then we could enable or disable the tunable to take away certain attributes. NFSHOMEDIR_tunable.pp CIFSHOMEDIR_tunable.pp FUSEFSHOMEDIR_tunable.pp For example. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHugWoACgkQrlYvE4MpobNW3QCg50PxfJPCXRx9PK1hGnctV7Hg NdIAoLTI3dfju8zOZ62aH3kPRZrArLP5 =m8MN -----END PGP SIGNATURE-----