[refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier
@ 2010-08-24 19:50 James Carter
  2010-08-25 12:54 ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2010-08-24 19:50 UTC (permalink / raw)
  To: refpolicy

By adding this rule, I can assume that every role rule of the form "role
foo_r;" is a declaration and those of the form "role foo_r types bar_t;"
are adding types to an existing role.  This makes translating to a
different language easier.

---
 policy/modules/services/nx.te |    1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ebb9582..a3559f2 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
 domain_user_exemption_target(nx_server_t)
 # we need an extra role because nxserver is called from sshd
 # cjp: do we really need this?
+role nx_server_r;
 role nx_server_r types nx_server_t;
 allow system_r nx_server_r;
 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier
  2010-08-24 19:50 [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier James Carter
@ 2010-08-25 12:54 ` Christopher J. PeBenito
  2010-08-25 14:11   ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2010-08-25 12:54 UTC (permalink / raw)
  To: refpolicy

On 08/24/10 15:50, James Carter wrote:
> By adding this rule, I can assume that every role rule of the form "role
> foo_r;" is a declaration and those of the form "role foo_r types bar_t;"
> are adding types to an existing role.  This makes translating to a
> different language easier.

This is a straightforward one.  I don't have a problem with it, though 
by requiring a role declaration statement imposes a new requirement that 
didn't previously exist.

> ---
>   policy/modules/services/nx.te |    1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
> index ebb9582..a3559f2 100644
> --- a/policy/modules/services/nx.te
> +++ b/policy/modules/services/nx.te
> @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
>   domain_user_exemption_target(nx_server_t)
>   # we need an extra role because nxserver is called from sshd
>   # cjp: do we really need this?
> +role nx_server_r;
>   role nx_server_r types nx_server_t;
>   allow system_r nx_server_r;
>
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier
  2010-08-25 12:54 ` Christopher J. PeBenito
@ 2010-08-25 14:11   ` James Carter
  2010-08-25 15:51     ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2010-08-25 14:11 UTC (permalink / raw)
  To: refpolicy

On Wed, 2010-08-25 at 08:54 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > By adding this rule, I can assume that every role rule of the form "role
> > foo_r;" is a declaration and those of the form "role foo_r types bar_t;"
> > are adding types to an existing role.  This makes translating to a
> > different language easier.
> 
> This is a straightforward one.  I don't have a problem with it, though 
> by requiring a role declaration statement imposes a new requirement that 
> didn't previously exist.
> 

But the fact that multiple role declarations are allowed is a deficiency
of the current policy language.  CIL will have a roletype statement
which will eliminate the need for allowing multiple role declarations.  

I think that having this extra rule won't harm Refpolicy while being
beneficial for translating Refpolicy to CIL.

> > ---
> >   policy/modules/services/nx.te |    1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
> > index ebb9582..a3559f2 100644
> > --- a/policy/modules/services/nx.te
> > +++ b/policy/modules/services/nx.te
> > @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
> >   domain_user_exemption_target(nx_server_t)
> >   # we need an extra role because nxserver is called from sshd
> >   # cjp: do we really need this?
> > +role nx_server_r;
> >   role nx_server_r types nx_server_t;
> >   allow system_r nx_server_r;
> >
> >
> 
> 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier
  2010-08-25 14:11   ` James Carter
@ 2010-08-25 15:51     ` Christopher J. PeBenito
  2010-08-25 17:14       ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2010-08-25 15:51 UTC (permalink / raw)
  To: refpolicy

On 08/25/10 10:11, James Carter wrote:
> On Wed, 2010-08-25 at 08:54 -0400, Christopher J. PeBenito wrote:
>> On 08/24/10 15:50, James Carter wrote:
>>> By adding this rule, I can assume that every role rule of the form "role
>>> foo_r;" is a declaration and those of the form "role foo_r types bar_t;"
>>> are adding types to an existing role.  This makes translating to a
>>> different language easier.
>>
>> This is a straightforward one.  I don't have a problem with it, though
>> by requiring a role declaration statement imposes a new requirement that
>> didn't previously exist.
>>
>
> But the fact that multiple role declarations are allowed is a deficiency
> of the current policy language.  CIL will have a roletype statement
> which will eliminate the need for allowing multiple role declarations.
>
> I think that having this extra rule won't harm Refpolicy while being
> beneficial for translating Refpolicy to CIL.

Like I said, I don't have a problem with it.  I didn't commit it since 
you said in your 0 patch email that this patchset was more of a RFC.

>>> ---
>>>    policy/modules/services/nx.te |    1 +
>>>    1 file changed, 1 insertion(+)
>>>
>>> diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
>>> index ebb9582..a3559f2 100644
>>> --- a/policy/modules/services/nx.te
>>> +++ b/policy/modules/services/nx.te
>>> @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
>>>    domain_user_exemption_target(nx_server_t)
>>>    # we need an extra role because nxserver is called from sshd
>>>    # cjp: do we really need this?
>>> +role nx_server_r;
>>>    role nx_server_r types nx_server_t;
>>>    allow system_r nx_server_r;
>>>
>>>
>>
>>
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier
  2010-08-25 15:51     ` Christopher J. PeBenito
@ 2010-08-25 17:14       ` James Carter
  0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2010-08-25 17:14 UTC (permalink / raw)
  To: refpolicy

On Wed, 2010-08-25 at 11:51 -0400, Christopher J. PeBenito wrote:
> On 08/25/10 10:11, James Carter wrote:
> > On Wed, 2010-08-25 at 08:54 -0400, Christopher J. PeBenito wrote:
> >> On 08/24/10 15:50, James Carter wrote:
> >>> By adding this rule, I can assume that every role rule of the form "role
> >>> foo_r;" is a declaration and those of the form "role foo_r types bar_t;"
> >>> are adding types to an existing role.  This makes translating to a
> >>> different language easier.
> >>
> >> This is a straightforward one.  I don't have a problem with it, though
> >> by requiring a role declaration statement imposes a new requirement that
> >> didn't previously exist.
> >>
> >
> > But the fact that multiple role declarations are allowed is a deficiency
> > of the current policy language.  CIL will have a roletype statement
> > which will eliminate the need for allowing multiple role declarations.
> >
> > I think that having this extra rule won't harm Refpolicy while being
> > beneficial for translating Refpolicy to CIL.
> 
> Like I said, I don't have a problem with it.  I didn't commit it since 
> you said in your 0 patch email that this patchset was more of a RFC.
> 

It is.  I was not expecting it to be committed at this point.  I was
just trying to clarify because it seemed like you were concerned about
imposing a new requirement, but I it looks like I was wrong about that.

> >>> ---
> >>>    policy/modules/services/nx.te |    1 +
> >>>    1 file changed, 1 insertion(+)
> >>>
> >>> diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
> >>> index ebb9582..a3559f2 100644
> >>> --- a/policy/modules/services/nx.te
> >>> +++ b/policy/modules/services/nx.te
> >>> @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
> >>>    domain_user_exemption_target(nx_server_t)
> >>>    # we need an extra role because nxserver is called from sshd
> >>>    # cjp: do we really need this?
> >>> +role nx_server_r;
> >>>    role nx_server_r types nx_server_t;
> >>>    allow system_r nx_server_r;
> >>>
> >>>
> >>
> >>
> >
> 
> 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-08-25 17:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-24 19:50 [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier James Carter
2010-08-25 12:54 ` Christopher J. PeBenito
2010-08-25 14:11   ` James Carter
2010-08-25 15:51     ` Christopher J. PeBenito
2010-08-25 17:14       ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.