Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5210206ybl;
        Wed, 22 Jan 2020 12:24:22 -0800 (PST)
X-Google-Smtp-Source: APXvYqxzIQLkIFsq5ENFADJlNUrib8GsK63+6GdSjPueqINnWBQPtktvNanW4qzAWWlRR1lIux33
X-Received: by 2002:a9d:7519:: with SMTP id r25mr8677756otk.284.1579724662452;
        Wed, 22 Jan 2020 12:24:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579724662; cv=none;
        d=google.com; s=arc-20160816;
        b=OnmLwSHmR3c9mEOzppEXNFskCshvK6O31SvB3rYKfR+AAE55tYZvQmT0mXHeN2qjY+
         lMFye70Yu0J48ZuEB9MO0svHAqQv+ScvpFery6Moe7A9uyV8ZICIpmvOM3Zipn7moRJU
         B6YqZhJFaL/Gm5KxbKSMJxgkp8xvAMNMIlob4RtZ2ZiNWhLwbzLVChovJTrQ7D6xi/eR
         JtozfoBv7vpsmt3IYh/wmQQonNdqteVQzJGVf/RPfVT/Mfpy1pjqFPi3yR86PrPoFkoD
         r3m3j/OPwyFz1HvYRYNoqi0Ucc9EYMQyNeNx2i016EMgYfbb8bwU70qGSDPOC6gKFgEK
         P/OQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:organization:subject:cc:to:from;
        bh=cx2UHxEyWezBQbWe6f1R3FqWZP1QTmQoRpMhGl1Flh8=;
        b=kFPL3MXnEZDEejbGPkRtT8kAJXjgsEGXTbSC8svj1ZrsCyaGpBfVmEQHRpILq4UiLk
         Mw1gzunRGmIyiGVcu7vfzPSmWpJU+FonBaXAkt+zmSfOmlxv7O17rC/R9l9vYREXtgTB
         rvV7yvbB7qe1iHlWtAqaXQiAeDXUgsSEalLV3yd0I50k+eFFEdVZo73aGtnn1lVF9qSG
         9PIvw8PYp4Pfm4KtIC/NMRhyu115v60ZhdW9Lr6XZ/PDQzw5BetLOF1iTv3ZcZmz8sQY
         +yFr0XWFRrfnSxKU/BJ7H35BGa5SBKXr9gYwYXy+omqWb9zzf0D0Ov7vHms0ewrRKrMl
         CbgA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t1si21398574oic.140.2020.01.22.12.24.18;
        Wed, 22 Jan 2020 12:24:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727453AbgAVUYE (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Wed, 22 Jan 2020 15:24:04 -0500
Received: from aer-iport-2.cisco.com ([173.38.203.52]:25887 "EHLO
        aer-iport-2.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725827AbgAVUYE (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 22 Jan 2020 15:24:04 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AyAwAOrihe/xbLJq1lHAEBAQEBBwE?=
 =?us-ascii?q?BEQEEBAEBgXuEChIqjRWGbgEBAQaBN5QThyQJAQEBDAEBLwEBhEACgj44EwI?=
 =?us-ascii?q?DDQEBBAEBAQIBBQRthUOFXgEBAQECAXkFCwsYCSUPAQQoIROFfQUgrnGCJ4k?=
 =?us-ascii?q?BgT4igRaMKgZ5gQeEJD6BF4h+IgSOC6FHgkOWMxuady2pOQIEBgUCFYFpIoF?=
 =?us-ascii?q?YMxoIMIMnUBgNiDmOD0ADMI1sAQE?=
X-IronPort-AV: E=Sophos;i="5.70,350,1574121600"; 
   d="scan'208";a="22440775"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22])
  by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jan 2020 20:24:01 +0000
Received: from nott (ams-henribak-nitro3.cisco.com [10.55.169.228])
        by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 00MKO11I011069
        (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
        Wed, 22 Jan 2020 20:24:01 GMT
From:   Henrik Grindal Bakken <hgb@ifi.uio.no>
To:     Chris PeBenito <pebenito@ieee.org>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
Organization: Sierra Fan Club
References: <20200117231500.59904-1-hgb@ifi.uio.no>
        <aee925e5-1a1f-1c97-71eb-669ff5890392@ieee.org>
        <875zh4aop3.fsf@cisco.com>
        <068afebc-bee1-0d1e-ed37-e1473f66f982@ieee.org>
Date:   Wed, 22 Jan 2020 21:24:01 +0100
In-Reply-To: <068afebc-bee1-0d1e-ed37-e1473f66f982@ieee.org> (Chris PeBenito's
        message of "Wed, 22 Jan 2020 05:03:06 -0500")
Message-ID: <87sgk78cke.fsf@cisco.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Outbound-SMTP-Client: 10.55.169.228, ams-henribak-nitro3.cisco.com
X-Outbound-Node: aer-core-4.cisco.com
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Chris PeBenito <pebenito@ieee.org> writes:

> On 1/21/20 9:06 AM, Henrik Grindal Bakken wrote:
>
>> Ok.  Then I would recomment rewriting the systemd_tmpfiles_t rules a
>> bit, because today it has a serious amount of AVC violations for pretty
>> standard usage.
>
> Perhaps.  However, it depends on what you consider standard usage.

I suppose.  It might not be standard out-of-the-distro-box, but it
supports managing all of these classes of files, and I would've
preferred my policy to support that.

>> There are no matching interfaces for lnk_files, at least.  Any
>> suggestions as to how to set up the tmpfiles rules?
>
> By adding new interfaces that are like the existing
> files_manage_non_security_files() interface, but for lnk_file.

Ok.  Is there interest in a patch for that, or should I just conjure up
something locally that works for me?

-- 
Henrik Grindal Bakken <hgb@ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52