[refpolicy] [PATCH] Role type statements no longer declare the role

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Role type statements no longer declare the role
@ 2015-04-27 18:03 Dominick Grift
  2015-04-27 18:05 ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2015-04-27 18:03 UTC (permalink / raw)
  To: refpolicy

Back in the older days, role type statements automatically declared the role. This was later changed.

I expect that these macro date from that period and that they should be updated to declare the role.
---
 policy/modules/system/userdomain.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5f71587..9269135 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,11 +27,11 @@ template(`userdom_base_user_template',`
 		attribute userdomain;
 		type user_devpts_t, user_tty_device_t;
 		class context contains;
-		role $1_r;
 	')
 
 	attribute $1_file_type;
 
+    role $1_r;
 	type $1_t, userdomain;
 	domain_type($1_t)
 	corecmd_shell_entry_type($1_t)
-- 
2.3.6

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Role type statements no longer declare the role
  2015-04-27 18:03 [refpolicy] [PATCH] Role type statements no longer declare the role Dominick Grift
@ 2015-04-27 18:05 ` Dominick Grift
  2015-04-27 18:55   ` Sven Vermeulen
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2015-04-27 18:05 UTC (permalink / raw)
  To: refpolicy

On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> Back in the older days, role type statements automatically declared the role. This was later changed.
> 
> I expect that these macro date from that period and that they should be updated to declare the role.

This is just a RFC patch. its untested and the indent is not conform refpolicy style rules

just want to hear opinions

> ---
>  policy/modules/system/userdomain.if | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 5f71587..9269135 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -27,11 +27,11 @@ template(`userdom_base_user_template',`
>  		attribute userdomain;
>  		type user_devpts_t, user_tty_device_t;
>  		class context contains;
> -		role $1_r;
>  	')
>  
>  	attribute $1_file_type;
>  
> +    role $1_r;
>  	type $1_t, userdomain;
>  	domain_type($1_t)
>  	corecmd_shell_entry_type($1_t)
> -- 
> 2.3.6
> 

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150427/2e02f6a4/attachment.bin 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Role type statements no longer declare the role
  2015-04-27 18:05 ` Dominick Grift
@ 2015-04-27 18:55   ` Sven Vermeulen
  2015-04-27 19:05     ` Dominick Grift
  2015-04-27 19:07     ` Christopher J. PeBenito
  0 siblings, 2 replies; 5+ messages in thread
From: Sven Vermeulen @ 2015-04-27 18:55 UTC (permalink / raw)
  To: refpolicy

On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
> On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> > Back in the older days, role type statements automatically declared the role. This was later changed.
> > 
> > I expect that these macro date from that period and that they should be updated to declare the role.
> 
> This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
> 
> just want to hear opinions

I think I'm okay with the suggestion. At first I was wondering if it is more of
cosmetic nature than actually necessary, but then I found that kernel.te
is declaring the basic roles already as well, and that I had declared the
role specifically in some other modules that I'm using.

Do you think the default role declarations in kernel.te can be dismissed if
your change is put through, or is the declaration of sysadm_r, staff_r, user_r
and unconfined_r in kernel.te needed due to other dependencies?

I can confirm that a duplicate role declaration does not seem to give any
issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
answered before going forward with the change.

Wkr,
        Sven Vermeulen

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Role type statements no longer declare the role
  2015-04-27 18:55   ` Sven Vermeulen
@ 2015-04-27 19:05     ` Dominick Grift
  2015-04-27 19:07     ` Christopher J. PeBenito
  1 sibling, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2015-04-27 19:05 UTC (permalink / raw)
  To: refpolicy

On Mon, Apr 27, 2015 at 08:55:18PM +0200, Sven Vermeulen wrote:
> On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
> > On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> > > Back in the older days, role type statements automatically declared the role. This was later changed.
> > > 
> > > I expect that these macro date from that period and that they should be updated to declare the role.
> > 
> > This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
> > 
> > just want to hear opinions
> 
> I think I'm okay with the suggestion. At first I was wondering if it is more of
> cosmetic nature than actually necessary, but then I found that kernel.te
> is declaring the basic roles already as well, and that I had declared the
> role specifically in some other modules that I'm using.
> 
> Do you think the default role declarations in kernel.te can be dismissed if
> your change is put through, or is the declaration of sysadm_r, staff_r, user_r
> and unconfined_r in kernel.te needed due to other dependencies?
> 
> I can confirm that a duplicate role declaration does not seem to give any
> issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
> answered before going forward with the change.

I suspect we could then, at least in theory, get rid of (at least some of the) declarations in kernel.te

Only way to really find out if to test it.

> 
> Wkr,
>         Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150427/952f06e9/attachment.bin 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Role type statements no longer declare the role
  2015-04-27 18:55   ` Sven Vermeulen
  2015-04-27 19:05     ` Dominick Grift
@ 2015-04-27 19:07     ` Christopher J. PeBenito
  1 sibling, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2015-04-27 19:07 UTC (permalink / raw)
  To: refpolicy

On 4/27/2015 2:55 PM, Sven Vermeulen wrote:
> On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
>> On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
>>> Back in the older days, role type statements automatically declared the role. This was later changed.
>>>
>>> I expect that these macro date from that period and that they should be updated to declare the role.
>>
>> This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
>>
>> just want to hear opinions
> 
> I think I'm okay with the suggestion. At first I was wondering if it is more of
> cosmetic nature than actually necessary, but then I found that kernel.te
> is declaring the basic roles already as well, and that I had declared the
> role specifically in some other modules that I'm using.
> 
> Do you think the default role declarations in kernel.te can be dismissed if
> your change is put through, or is the declaration of sysadm_r, staff_r, user_r
> and unconfined_r in kernel.te needed due to other dependencies?
> 
> I can confirm that a duplicate role declaration does not seem to give any
> issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
> answered before going forward with the change.

The reason the role declarations are in kernel.te is because of the user
declarations in policy/users.  If you turn off unconfined, then base
fails to compile.

One option may be to eliminate all user declarations except system_u,
and then it would be up to the distros/users to create their own users
(even if it is just to restore what we currently have).  That being
said, I don't like that option much, as refpolicy can't work out of the box.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-04-27 19:07 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-27 18:03 [refpolicy] [PATCH] Role type statements no longer declare the role Dominick Grift
2015-04-27 18:05 ` Dominick Grift
2015-04-27 18:55   ` Sven Vermeulen
2015-04-27 19:05     ` Dominick Grift
2015-04-27 19:07     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.