SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Henrik Grindal Bakken <hgb@ifi.uio.no>
To: Chris PeBenito <pebenito@ieee.org>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
Date: Tue, 21 Jan 2020 15:06:48 +0100
Message-ID: <875zh4aop3.fsf@cisco.com> (raw)
In-Reply-To: <aee925e5-1a1f-1c97-71eb-669ff5890392@ieee.org> (Chris PeBenito's message of "Tue, 21 Jan 2020 08:36:50 -0500")

Chris PeBenito <pebenito@ieee.org> writes:

> On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
>> From: Henrik Grindal Bakken <henribak@cisco.com>
>>
>> This is the same behavious as files_*_non_auth_types have.

[...]

> NAK.  Access per object class is already split up across separate
> interfaces, so doing this would be confusing and prevent someone from
> getting file-only access.

Ok.  Then I would recomment rewriting the systemd_tmpfiles_t rules a
bit, because today it has a serious amount of AVC violations for pretty
standard usage.

There are no matching interfaces for lnk_files, at least.  Any
suggestions as to how to set up the tmpfiles rules?

A new interface like this:

interface(`manage_non_security_somethingsomething',`
        gen_require(`
            attribute non_security_file_type;
        ')

       manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
       manage_files_pattern($1, non_security_file_type, non_security_file_type)
       manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
       manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
       manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')

or

interface(`manage_stuff',`
       manage_dirs_pattern($1, $2, $2)
       manage_files_pattern($1, $2, $2)
       manage_lnk_files_pattern($1, $2, $2)
       manage_fifo_files_pattern($1, $2, $2)
       manage_sock_files_pattern($1, $2, $2)
')

or call the manage_*_pattern() stuff directly from systemd.te?

(I guess one should add stuff for chr_file, etc)

-- 
Henrik Grindal Bakken <hgb@ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52

  reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-17 23:15 Henrik Grindal Bakken
2020-01-18  7:11 ` Henrik Grindal Bakken
2020-01-21 13:36 ` Chris PeBenito
2020-01-21 14:06   ` Henrik Grindal Bakken [this message]
2020-01-22 10:03     ` Chris PeBenito
2020-01-22 20:24       ` Henrik Grindal Bakken
2020-02-08 14:49         ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875zh4aop3.fsf@cisco.com \
    --to=hgb@ifi.uio.no \
    --cc=pebenito@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git