Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B021C43387 for ; Sun, 6 Jan 2019 01:45:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 84682222CB for ; Sun, 6 Jan 2019 01:45:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="keNabcxF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726374AbfAFBpy (ORCPT ); Sat, 5 Jan 2019 20:45:54 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:38056 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726372AbfAFBpy (ORCPT ); Sat, 5 Jan 2019 20:45:54 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 657DBED20; Sun, 6 Jan 2019 12:45:52 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546739152; bh=wFFoiVjLWClzWIV7Ohxnft9KD9SxeUNDlKQH4573KpM=; l=1743; h=From:To:Reply-To:Cc:Subject:Date:In-Reply-To:References:From; b=keNabcxFy6kdgNH/pM2Pq7OY6hEFeGJtMdcHjBoi3zk6fbIKvgMb4yfP1NnmAn/tZ Ivg/okgt/yDXxoLh4HzkdmKs5GTkmqVMfhnZZsXKF/rDXMpo6XDZ2Z4JY4I/C+LMNd 17otb2IJFHWLk0fxyjXmGpCPKfNDvqEYO/84h3BY= Received: by xev.coker.com.au (Postfix, from userid 1001) id CD6E8C3CE70; Sun, 6 Jan 2019 12:45:47 +1100 (AEDT) From: Russell Coker To: Chris PeBenito Reply-To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc interfaces Date: Sun, 06 Jan 2019 12:45:47 +1100 Message-ID: <2720499.UrXOAb4Yr4@xev> In-Reply-To: <70440b14-0034-f72f-cbb1-f59a39ca67f7@ieee.org> References: <20190104073312.GA11256@aaa.coker.com.au> <70440b14-0034-f72f-cbb1-f59a39ca67f7@ieee.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Sunday, 6 January 2019 5:39:37 AM AEDT Chris PeBenito wrote: > On 1/4/19 2:33 AM, Russell Coker wrote: > > This patch has some small interface changes as well as the policy patches > > to use the new interfaces. > > > > Index: refpolicy-2.20180701/policy/modules/admin/apt.if > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if > > +++ refpolicy-2.20180701/policy/modules/admin/apt.if > > @@ -171,7 +171,7 @@ interface(`apt_read_cache',` > > > > files_search_var($1) > > allow $1 apt_var_cache_t:dir list_dir_perms; > > - allow $1 apt_var_cache_t:file read_file_perms; > > + allow $1 apt_var_cache_t:file mmap_read_file_perms; > > ') > > > > ######################################## > > @@ -191,7 +191,7 @@ interface(`apt_manage_cache',` > > > > files_search_var($1) > > allow $1 apt_var_cache_t:dir manage_dir_perms; > > - allow $1 apt_var_cache_t:file manage_file_perms; > > + allow $1 apt_var_cache_t:file { manage_file_perms map }; > > ') > > I dropped these hunks. In general the map should be a separate > interface, unless you're arguing that in all cases there should be mmaping. > > Otherwise the remainder is merged. While it is possible for anyone to write code that manages the apt cache, in general anything that touches it will do so via apt utilities or shared objects (usually by executing /usr/bin/apt-cache which has bin_t). Yes I think that in all cases there should be a mapping because in all likely cases that will exist (all cases that are known to exist) the same code is used for accessing those files. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/