[refpolicy] Want to make typeattribute declarations possible in conditionals
sven.vermeulen at siphos.be
Tue Jul 23 08:22:07 EDT 2013
I would like to be able to assign attributes to types in a conditional
statement. Right now, this isn't allowed, and I don't know if it is feasible
to look for a solution to this or not. Is this a real design constraint that
will be hard to work around, or is this doable?
Alternatives that I see are:
- making the assignations part of separate, small SELinux modules that users can unload/load
- using interfaces that assign the permissions to the given domain, and use
this interface against the attribute. This will probably result in two
interfaces, foo_domain() to assign the attribute (for non-tunable usage)
and foo_domain_privileges() to assign the rights (for tunable usage) -
naming convention notwithstanding here.
- decouple the requirement from the policy and let administrators do this
The last approach means that the policy doesn't include the definitions
anymore, instead providing a method (in the SELinux userspace utilities or
distribution-specific) to assign attributes.
For instance (mock-up):
~# semanage attribute -a -t mailserver_domain portage_t
This would then create (or maintain) a small module that does the necessary
declarations, like "typeattribute portage_t mailserver_domain".
What is your opinion on this? Weird request?
More information about the refpolicy