From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9A03C2D0CE for ; Tue, 21 Jan 2020 14:06:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B781C22314 for ; Tue, 21 Jan 2020 14:06:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728709AbgAUOGu (ORCPT ); Tue, 21 Jan 2020 09:06:50 -0500 Received: from aer-iport-1.cisco.com ([173.38.203.51]:44401 "EHLO aer-iport-1.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727817AbgAUOGu (ORCPT ); Tue, 21 Jan 2020 09:06:50 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AFAAAYBCde/xbLJq1lGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYFnBQEBAQELAYNoASASKow1YIZjAQEEBoE3lBO?= =?us-ascii?q?FKYF7CQEBAQwBAS8BAYRAAoI2NAkOAgMNAQEEAQEBAgEFBG2FQ4VeAQEBAQI?= =?us-ascii?q?BeQULCxUDCSUPAQQoIROFfQUgrHKCJ4h4gT4igRYBjCcGeYEHhCQ+gReIfiI?= =?us-ascii?q?EjguhR4JDljEbmnctqTcCBAYFAhWBUjmBWDMaCDCDJ1AYDYg5jg9AAzCOEQE?= =?us-ascii?q?B?= X-IronPort-AV: E=Sophos;i="5.70,346,1574121600"; d="scan'208";a="22379677" Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Jan 2020 14:06:48 +0000 Received: from nott (ams-henribak-nitro3.cisco.com [10.55.169.228]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 00LE6mqH027656 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 21 Jan 2020 14:06:48 GMT From: Henrik Grindal Bakken To: Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types Organization: Sierra Fan Club References: <20200117231500.59904-1-hgb@ifi.uio.no> Date: Tue, 21 Jan 2020 15:06:48 +0100 In-Reply-To: (Chris PeBenito's message of "Tue, 21 Jan 2020 08:36:50 -0500") Message-ID: <875zh4aop3.fsf@cisco.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Outbound-SMTP-Client: 10.55.169.228, ams-henribak-nitro3.cisco.com X-Outbound-Node: aer-core-3.cisco.com Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Chris PeBenito writes: > On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote: >> From: Henrik Grindal Bakken >> >> This is the same behavious as files_*_non_auth_types have. [...] > NAK. Access per object class is already split up across separate > interfaces, so doing this would be confusing and prevent someone from > getting file-only access. Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a bit, because today it has a serious amount of AVC violations for pretty standard usage. There are no matching interfaces for lnk_files, at least. Any suggestions as to how to set up the tmpfiles rules? A new interface like this: interface(`manage_non_security_somethingsomething',` gen_require(` attribute non_security_file_type; ') manage_dirs_pattern($1, non_security_file_type, non_security_file_type) manage_files_pattern($1, non_security_file_type, non_security_file_type) manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type) manage_sock_files_pattern($1, non_security_file_type, non_security_file_type) ') or interface(`manage_stuff',` manage_dirs_pattern($1, $2, $2) manage_files_pattern($1, $2, $2) manage_lnk_files_pattern($1, $2, $2) manage_fifo_files_pattern($1, $2, $2) manage_sock_files_pattern($1, $2, $2) ') or call the manage_*_pattern() stuff directly from systemd.te? (I guess one should add stuff for chr_file, etc) -- Henrik Grindal Bakken PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52