[refpolicy] [PATCH 1/5] Introduce interface allowing relabeling from/to non-security file types

Sven Vermeulen sven.vermeulen at siphos.be
Fri Aug 15 05:31:46 EDT 2014


On Thu, Aug 14, 2014 at 03:35:47PM -0400, Christopher J. PeBenito wrote:
> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> > This interface can be used by domains that have a need for broad
> > privileges towards the system, but should not need any privileges
> > towards security-sensitive types.
> [..]
> > +interface(`files_relabel_all_non_security_file_types',`
> > +	gen_require(`
> > +		attribute non_security_file_type;
> > +	')
> > +
> > +	allow $1 non_security_file_type:dir list_dir_perms;
> > +
> > +	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> > +
> > +	# This is only relabelfrom as there should be no device nodes marked with a type
> > +	# associated with the non_security_file_type attribute
> > +	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
> > +')
> 
> While there are a few interfaces that are like this with broad object
> class usage, I'd rather not have them.  I'd prefer that they are broken
> up into individual interfaces.  #3 patch is like this too.

As in, iterate over all the various types that would be matched?

Although I can do that, that might result in many, many more interfaces
being necessary and having updates on the domain as users configure
tmpfiles.

Or we can go the other route and not include the broad privileges to start
with (only the basic resource types such as the pidfiles) until users
start complaining about tmpfiles not creating the directory, socket or file,
and adapt the policy as things go along.

Wkr,
	Sven Vermeulen


More information about the refpolicy mailing list