From: Henrik Grindal Bakken <hgb@ifi.uio.no>
To: Chris PeBenito <pebenito@ieee.org>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
Date: Tue, 21 Jan 2020 15:06:48 +0100 [thread overview]
Message-ID: <875zh4aop3.fsf@cisco.com> (raw)
In-Reply-To: <aee925e5-1a1f-1c97-71eb-669ff5890392@ieee.org> (Chris PeBenito's message of "Tue, 21 Jan 2020 08:36:50 -0500")
Chris PeBenito <pebenito@ieee.org> writes:
> On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
>> From: Henrik Grindal Bakken <henribak@cisco.com>
>>
>> This is the same behavious as files_*_non_auth_types have.
[...]
> NAK. Access per object class is already split up across separate
> interfaces, so doing this would be confusing and prevent someone from
> getting file-only access.
Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a
bit, because today it has a serious amount of AVC violations for pretty
standard usage.
There are no matching interfaces for lnk_files, at least. Any
suggestions as to how to set up the tmpfiles rules?
A new interface like this:
interface(`manage_non_security_somethingsomething',`
gen_require(`
attribute non_security_file_type;
')
manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
manage_files_pattern($1, non_security_file_type, non_security_file_type)
manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
or
interface(`manage_stuff',`
manage_dirs_pattern($1, $2, $2)
manage_files_pattern($1, $2, $2)
manage_lnk_files_pattern($1, $2, $2)
manage_fifo_files_pattern($1, $2, $2)
manage_sock_files_pattern($1, $2, $2)
')
or call the manage_*_pattern() stuff directly from systemd.te?
(I guess one should add stuff for chr_file, etc)
--
Henrik Grindal Bakken <hgb@ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52
next prev parent reply other threads:[~2020-01-21 14:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 23:15 [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types Henrik Grindal Bakken
2020-01-18 7:11 ` Henrik Grindal Bakken
2020-01-21 13:36 ` Chris PeBenito
2020-01-21 14:06 ` Henrik Grindal Bakken [this message]
2020-01-22 10:03 ` Chris PeBenito
2020-01-22 20:24 ` Henrik Grindal Bakken
2020-02-08 14:49 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875zh4aop3.fsf@cisco.com \
--to=hgb@ifi.uio.no \
--cc=pebenito@ieee.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).