From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 18 Aug 2014 10:57:10 -0400 Subject: [refpolicy] [PATCH 1/5] Introduce interface allowing relabeling from/to non-security file types In-Reply-To: <20140815093146.GA5715@siphos.be> References: <1407434738-11937-1-git-send-email-sven.vermeulen@siphos.be> <1407434738-11937-2-git-send-email-sven.vermeulen@siphos.be> <53ED0F93.8080905@tresys.com> <20140815093146.GA5715@siphos.be> Message-ID: <53F21446.3050205@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 8/15/2014 5:31 AM, Sven Vermeulen wrote: > On Thu, Aug 14, 2014 at 03:35:47PM -0400, Christopher J. PeBenito wrote: >> On 8/7/2014 2:05 PM, Sven Vermeulen wrote: >>> This interface can be used by domains that have a need for broad >>> privileges towards the system, but should not need any privileges >>> towards security-sensitive types. >> [..] >>> +interface(`files_relabel_all_non_security_file_types',` >>> + gen_require(` >>> + attribute non_security_file_type; >>> + ') >>> + >>> + allow $1 non_security_file_type:dir list_dir_perms; >>> + >>> + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type) >>> + relabel_files_pattern($1, non_security_file_type, non_security_file_type) >>> + relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type) >>> + relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type) >>> + relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type) >>> + >>> + # This is only relabelfrom as there should be no device nodes marked with a type >>> + # associated with the non_security_file_type attribute >>> + relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type) >>> + relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type) >>> +') >> >> While there are a few interfaces that are like this with broad object >> class usage, I'd rather not have them. I'd prefer that they are broken >> up into individual interfaces. #3 patch is like this too. > > As in, iterate over all the various types that would be matched? Yes. > Although I can do that, that might result in many, many more interfaces > being necessary and having updates on the domain as users configure > tmpfiles. > > Or we can go the other route and not include the broad privileges to start > with (only the basic resource types such as the pidfiles) until users > start complaining about tmpfiles not creating the directory, socket or file, > and adapt the policy as things go along. I'm fine with that too. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com