From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 004B1C4332F for ; Fri, 9 Dec 2022 16:09:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229619AbiLIQJR (ORCPT ); Fri, 9 Dec 2022 11:09:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229468AbiLIQJN (ORCPT ); Fri, 9 Dec 2022 11:09:13 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5FD1EE003 for ; Fri, 9 Dec 2022 08:09:12 -0800 (PST) Received: from [192.168.254.13] (unknown [68.33.139.110]) by linux.microsoft.com (Postfix) with ESMTPSA id E8C1B20B83C2 for ; Fri, 9 Dec 2022 08:09:11 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E8C1B20B83C2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1670602152; bh=/l4le9hd9p7sJqxjPZ/4QE3KmDH6KhzCEvtOTK9YCDM=; h=Date:To:From:Subject:From; b=kAJ6ohm4aqxT8dnrat99lWHJiVRAoHS4pBWj6WRpum06M3k+KJjB7L/AyAtGU4BUn RhKDXIz7TxNXGKnR539vlSvEpLDUfB/WPDxLZmfSUYTIx6IZ1/ds9ImC/OCEdv5HeO oqMACZaux4Vsap9TXE2z20liQ3sDULrEqNWlOcEE= Message-ID: Date: Fri, 9 Dec 2022 11:09:10 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Content-Language: en-US To: SELinux Reference Policy mailing list From: Chris PeBenito Subject: [refpolicy3 RFC] Split broad file contexts Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org In refpolicy2, we have several types, such as bin_t, that have file contexts related to other modules, e.g.: /etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) relate to acpi and mailman. Should we continue to put all of the bin_t labeling in files.cas or should we split it back to the individual modules? This was originally done in refpolicy2 so users could look in a single place for everything about bin_t for encapsulation. This is nice for users, but not so nice for maintenance and version control. Since cascade has the "extend" feature, we can split up the labeling among relevant modules, and tooling can construct a single unified view of the file contexts of bin_t and the like. For example, instead of this in file.cas: resource bin_t inherits executable { ...many fcs... file_context(/etc/acpi/actions(/.*)?, any); } we have this in acpi.cas: extend bin_t { file_context(/etc/acpi/actions(/.*)?, any); } Thoughts? -- Chris PeBenito