[refpolicy] [PATCH 1/5] Introduce interface allowing relabeling from/to non-security file types

Christopher J. PeBenito cpebenito at tresys.com
Thu Aug 14 15:35:47 EDT 2014


On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> This interface can be used by domains that have a need for broad
> privileges towards the system, but should not need any privileges
> towards security-sensitive types.
[..]
> +interface(`files_relabel_all_non_security_file_types',`
> +	gen_require(`
> +		attribute non_security_file_type;
> +	')
> +
> +	allow $1 non_security_file_type:dir list_dir_perms;
> +
> +	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> +
> +	# This is only relabelfrom as there should be no device nodes marked with a type
> +	# associated with the non_security_file_type attribute
> +	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
> +')

While there are a few interfaces that are like this with broad object
class usage, I'd rather not have them.  I'd prefer that they are broken
up into individual interfaces.  #3 patch is like this too.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list