[refpolicy] Interface naming question for a filetrans
Christopher J. PeBenito
cpebenito at tresys.com
Tue Jul 3 08:55:04 CDT 2012
On 7/2/2012 4:15 PM, Sven Vermeulen wrote:
> On Mon, Jul 02, 2012 at 08:05:38AM -0400, Christopher J. PeBenito wrote:
>> On 07/01/12 05:29, Sven Vermeulen wrote:
>>> Let's say I am in the need for two interfaces.
>>> One would do:
>>> files_pid_filetrans($1, udev_rules_t, dir, $2)
>>> the other one
>>> filetrans_pattern($1, udev_var_run_t, udev_rules_t, dir, $2)
>>> I'm a bit in doubt about what to call the interfaces.
>>> So, what's the take on this?
>> The general idea of the naming is modulename_fromtype_filetrans[_totype],
>> where fromtype and totype are the more abstract names for the types. But
>> it sounds like the above situation is messy. Would you further describe
>> what you're trying to do (raw rules would be fine)?
> One is:
> filetrans_pattern($1, var_run_t, udev_rules_t, dir, $2)
> The other one:
> filetrans_pattern($1, udev_var_run_t, udev_rules_t, dir, $2)
> which is about as raw as possible without loosing the idea ;-) For instance,
> an init script creates "rules.d" in "/run/udev", so we need the second one.
> But udevadm creates "rules" in "/var/run" which needs the first one.
> filetrans_pattern(initrc_t, udev_var_run_t, udev_rules_t, dir, "rules.d")
> filetrans_pattern(udev_t, var_run_t, udev_rules_t, dir, "rules")
> The problem with the naming is that, in this particular case, _fromtype_ is
> dubious. By using "_pids_" it can either refer to the generic one
> (var_run_t) or to the subtype of the module (udev_var_run_t).
Right. I'd go with generic pids for var_run_t; pids would imply the udev pids.
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy