[refpolicy] Want to make typeattribute declarations possible in conditionals

Sven Vermeulen sven.vermeulen at siphos.be
Tue Jul 23 08:22:07 EDT 2013


Hi all,

I would like to be able to assign attributes to types in a conditional
statement. Right now, this isn't allowed, and I don't know if it is feasible
to look for a solution to this or not. Is this a real design constraint that
will be hard to work around, or is this doable?

Alternatives that I see are:
- making the assignations part of separate, small SELinux modules that users can unload/load
- using interfaces that assign the permissions to the given domain, and use
  this interface against the attribute. This will probably result in two
  interfaces, foo_domain() to assign the attribute (for non-tunable usage)
  and foo_domain_privileges() to assign the rights (for tunable usage) -
  naming convention notwithstanding here.
- decouple the requirement from the policy and let administrators do this

The last approach means that the policy doesn't include the definitions
anymore, instead providing a method (in the SELinux userspace utilities or
distribution-specific) to assign attributes.

For instance (mock-up):

~# semanage attribute -a -t mailserver_domain portage_t

This would then create (or maintain) a small module that does the necessary
declarations, like "typeattribute portage_t mailserver_domain".

What is your opinion on this? Weird request?

Wkr,
	Sven Vermeulen



More information about the refpolicy mailing list