From: Chris PeBenito <pebenito@ieee.org>
To: Henrik Grindal Bakken <hgb@ifi.uio.no>,
selinux-refpolicy@vger.kernel.org
Subject: Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
Date: Tue, 21 Jan 2020 08:36:50 -0500 [thread overview]
Message-ID: <aee925e5-1a1f-1c97-71eb-669ff5890392@ieee.org> (raw)
In-Reply-To: <20200117231500.59904-1-hgb@ifi.uio.no>
On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
> From: Henrik Grindal Bakken <henribak@cisco.com>
>
> This is the same behavious as files_*_non_auth_types have.
> ---
> policy/modules/kernel/files.if | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index f1c9441..255d8a9 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -652,7 +652,11 @@ interface(`files_manage_non_security_files',`
> attribute non_security_file_type;
> ')
>
> + manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
> manage_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> ')
>
> ########################################
> @@ -671,7 +675,11 @@ interface(`files_relabel_non_security_files',`
> attribute non_security_file_type;
> ')
>
> + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> ')
>
> ########################################
NAK. Access per object class is already split up across separate
interfaces, so doing this would be confusing and prevent someone from
getting file-only access.
--
Chris PeBenito
next prev parent reply other threads:[~2020-01-21 13:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 23:15 [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types Henrik Grindal Bakken
2020-01-18 7:11 ` Henrik Grindal Bakken
2020-01-21 13:36 ` Chris PeBenito [this message]
2020-01-21 14:06 ` Henrik Grindal Bakken
2020-01-22 10:03 ` Chris PeBenito
2020-01-22 20:24 ` Henrik Grindal Bakken
2020-02-08 14:49 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aee925e5-1a1f-1c97-71eb-669ff5890392@ieee.org \
--to=pebenito@ieee.org \
--cc=hgb@ifi.uio.no \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).