Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3729339ybl; Tue, 21 Jan 2020 06:06:54 -0800 (PST) X-Google-Smtp-Source: APXvYqy2BoLvcDQjUHr0SpqGd8ZM6ovAfgUiH0R/9ioUeqa04rmz1SGTXa1/FDQ92gswtbbbXq3v X-Received: by 2002:a9d:6f85:: with SMTP id h5mr3721549otq.19.1579615614862; Tue, 21 Jan 2020 06:06:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579615614; cv=none; d=google.com; s=arc-20160816; b=Hbk/PgRu+sEvtbxm+hHjRG4Isu4nZj2ErVuT67xYfe7v8Zt5ZFPZNMLrV4ZsUdYKOV 4Tp/aWS6NGp+4LgdkqAdpunfJPEldLzZRbCiEAVbY6HNOjcye2qD2x3NoexsxEBcUS2e 5gQrdSB3VD8ADCB93m+/0g20+8Deb0/6I+O5Qqqn0xqpmWkq0n7MJfzssd4lYLFjZ51X I6BdoAOiustPqT/BpFooLn3eqcW0stkWB6j5iSnZdRHIUZZe4DjIxuUMwuunqcPvcJXM QVGEAOHcOFECUH4flAB573uv6uPRYR/6PSBUc7K4REs/nhjbpZ39yDTNotrI9Go8cZ7O oT9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:organization:subject:cc:to:from; bh=NF4a2BMpoijJyafRqHSL+gCYpUhE2UfSqNfVByFFJVg=; b=acI2NoC1EUdyUG62jdLxtnTgRNmySIZq4HGqMluvUW0lrDd7nFv4Rk31HKfnn0f+U5 ausb9U308TxrcMXSipwpCWUxfr3+jXDVvx2TJKEBjVSYQFMFqvYUc7yXFIvRayhsVHNE fua2QcpcWArYgSq3I80B6w4R2+lK5wMJRiIlTLRLmFAaDdc9R4yochm/g4DeUXxyYqfY zfMcWd5+Eyt4K6Jz83h7aCAASPUW6ihgg8OihAC/3nYwk/JMu+Qzunye4mNRMWA6NH7h 9AIlzb92+K7lS4/IQH3Zvz6ODbBXTOnCdBwV76BalTdxNmddngK6gWh5G1wDgX88FXfD sETw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c19si22616382otp.3.2020.01.21.06.06.51; Tue, 21 Jan 2020 06:06:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728709AbgAUOGu (ORCPT + 13 others); Tue, 21 Jan 2020 09:06:50 -0500 Received: from aer-iport-1.cisco.com ([173.38.203.51]:44401 "EHLO aer-iport-1.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727817AbgAUOGu (ORCPT ); Tue, 21 Jan 2020 09:06:50 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AFAAAYBCde/xbLJq1lGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYFnBQEBAQELAYNoASASKow1YIZjAQEEBoE3lBO?= =?us-ascii?q?FKYF7CQEBAQwBAS8BAYRAAoI2NAkOAgMNAQEEAQEBAgEFBG2FQ4VeAQEBAQI?= =?us-ascii?q?BeQULCxUDCSUPAQQoIROFfQUgrHKCJ4h4gT4igRYBjCcGeYEHhCQ+gReIfiI?= =?us-ascii?q?EjguhR4JDljEbmnctqTcCBAYFAhWBUjmBWDMaCDCDJ1AYDYg5jg9AAzCOEQE?= =?us-ascii?q?B?= X-IronPort-AV: E=Sophos;i="5.70,346,1574121600"; d="scan'208";a="22379677" Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Jan 2020 14:06:48 +0000 Received: from nott (ams-henribak-nitro3.cisco.com [10.55.169.228]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 00LE6mqH027656 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 21 Jan 2020 14:06:48 GMT From: Henrik Grindal Bakken To: Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types Organization: Sierra Fan Club References: <20200117231500.59904-1-hgb@ifi.uio.no> Date: Tue, 21 Jan 2020 15:06:48 +0100 In-Reply-To: (Chris PeBenito's message of "Tue, 21 Jan 2020 08:36:50 -0500") Message-ID: <875zh4aop3.fsf@cisco.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Outbound-SMTP-Client: 10.55.169.228, ams-henribak-nitro3.cisco.com X-Outbound-Node: aer-core-3.cisco.com Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Chris PeBenito writes: > On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote: >> From: Henrik Grindal Bakken >> >> This is the same behavious as files_*_non_auth_types have. [...] > NAK. Access per object class is already split up across separate > interfaces, so doing this would be confusing and prevent someone from > getting file-only access. Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a bit, because today it has a serious amount of AVC violations for pretty standard usage. There are no matching interfaces for lnk_files, at least. Any suggestions as to how to set up the tmpfiles rules? A new interface like this: interface(`manage_non_security_somethingsomething',` gen_require(` attribute non_security_file_type; ') manage_dirs_pattern($1, non_security_file_type, non_security_file_type) manage_files_pattern($1, non_security_file_type, non_security_file_type) manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type) manage_sock_files_pattern($1, non_security_file_type, non_security_file_type) ') or interface(`manage_stuff',` manage_dirs_pattern($1, $2, $2) manage_files_pattern($1, $2, $2) manage_lnk_files_pattern($1, $2, $2) manage_fifo_files_pattern($1, $2, $2) manage_sock_files_pattern($1, $2, $2) ') or call the manage_*_pattern() stuff directly from systemd.te? (I guess one should add stuff for chr_file, etc) -- Henrik Grindal Bakken PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52