[refpolicy] [PATCH 1/5] Introduce interface allowing relabeling from/to non-security file types

Christopher J. PeBenito cpebenito at tresys.com
Mon Aug 18 10:57:10 EDT 2014


On 8/15/2014 5:31 AM, Sven Vermeulen wrote:
> On Thu, Aug 14, 2014 at 03:35:47PM -0400, Christopher J. PeBenito wrote:
>> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
>>> This interface can be used by domains that have a need for broad
>>> privileges towards the system, but should not need any privileges
>>> towards security-sensitive types.
>> [..]
>>> +interface(`files_relabel_all_non_security_file_types',`
>>> +	gen_require(`
>>> +		attribute non_security_file_type;
>>> +	')
>>> +
>>> +	allow $1 non_security_file_type:dir list_dir_perms;
>>> +
>>> +	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
>>> +	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +
>>> +	# This is only relabelfrom as there should be no device nodes marked with a type
>>> +	# associated with the non_security_file_type attribute
>>> +	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +	relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +')
>>
>> While there are a few interfaces that are like this with broad object
>> class usage, I'd rather not have them.  I'd prefer that they are broken
>> up into individual interfaces.  #3 patch is like this too.
> 
> As in, iterate over all the various types that would be matched?

Yes.

> Although I can do that, that might result in many, many more interfaces
> being necessary and having updates on the domain as users configure
> tmpfiles.
> 
> Or we can go the other route and not include the broad privileges to start
> with (only the basic resource types such as the pidfiles) until users
> start complaining about tmpfiles not creating the directory, socket or file,
> and adapt the policy as things go along.

I'm fine with that too.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list