Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2946568rwb; Fri, 9 Dec 2022 08:09:25 -0800 (PST) X-Google-Smtp-Source: AA0mqf5X8iAZr/zIWiP/7xKh7zPrwE+CI6rqulV4QEPv8tROEHHjHCo1RCpLI9bAJ+rf0Bt8po7E X-Received: by 2002:a05:6a21:9013:b0:a5:60d7:fb82 with SMTP id tq19-20020a056a21901300b000a560d7fb82mr7023842pzb.60.1670602164719; Fri, 09 Dec 2022 08:09:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670602164; cv=none; d=google.com; s=arc-20160816; b=j/Y8HfcOmC4pA9LvbfJrM6UbLrdVHF2THIoKuYSwKKoRj3LHa3c6F9toeku7oaGPAt YgXpO0YIJuPM5D3QFjiWEv/pezlXmA7eniWhnpZJXSXtG0hyFhu8PMKgkNEPdvJl5jDQ TNPiA9WD2I+dSENI6eqZEZdzEHQfikK5D9uWWd0DndOXfWMdcGJ7XKbcfHTew0lA1hUu 5oG0IvoFzSHfbJJggrZNVajxtKs1IbgWkqGu9rbwoPKkJUELt21D0Yf/lEx1WRL43qXS ZMnnTUY21KpqvS+n+EvKqNzLs3GQvRcGc1fdIY5XozUYi7OgVjnkRPGfanoVTXo/SSZM k3ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:subject:from:to :content-language:user-agent:mime-version:date:message-id :dkim-signature:dkim-filter; bh=/l4le9hd9p7sJqxjPZ/4QE3KmDH6KhzCEvtOTK9YCDM=; b=onCRf/c5+t2H3ZbjPvjzZVDqyD1TZsljpLxQwo0Q1pUMHW9DoewOfil4TAnI2JGDoy Ou7BxSjRWYfIHC+0CgIJZiVU5HpGexkD/puJW+vve5T+xyUiqsKns5tNvjmZ67J9F0RK mu9f4bdmvSOZOZnZBEPOlozOG5/Z1Yxb5nmLbRpBxYSPMzjIk/rmG2bbUUFl3DmBACsn YrqoPqEOvDrZvc1RvOZ+JCHytKa6sXgVOXK1WzB764a3/DwVJgsuOaA5d6onZ5l0Pwbg nFckS2BQUsjAfmVpFxSm3BQeUwL9icxzrhlsLljHdWLhPVeXlWhMyDd/v3D+tah4P6Wm pRdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=kAJ6ohm4; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u24-20020a632358000000b00477bbd92cf5si1843329pgm.118.2022.12.09.08.09.20; Fri, 09 Dec 2022 08:09:24 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=kAJ6ohm4; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229619AbiLIQJR (ORCPT + 21 others); Fri, 9 Dec 2022 11:09:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229468AbiLIQJN (ORCPT ); Fri, 9 Dec 2022 11:09:13 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5FD1EE003 for ; Fri, 9 Dec 2022 08:09:12 -0800 (PST) Received: from [192.168.254.13] (unknown [68.33.139.110]) by linux.microsoft.com (Postfix) with ESMTPSA id E8C1B20B83C2 for ; Fri, 9 Dec 2022 08:09:11 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E8C1B20B83C2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1670602152; bh=/l4le9hd9p7sJqxjPZ/4QE3KmDH6KhzCEvtOTK9YCDM=; h=Date:To:From:Subject:From; b=kAJ6ohm4aqxT8dnrat99lWHJiVRAoHS4pBWj6WRpum06M3k+KJjB7L/AyAtGU4BUn RhKDXIz7TxNXGKnR539vlSvEpLDUfB/WPDxLZmfSUYTIx6IZ1/ds9ImC/OCEdv5HeO oqMACZaux4Vsap9TXE2z20liQ3sDULrEqNWlOcEE= Message-ID: Date: Fri, 9 Dec 2022 11:09:10 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Content-Language: en-US To: SELinux Reference Policy mailing list From: Chris PeBenito Subject: [refpolicy3 RFC] Split broad file contexts Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org In refpolicy2, we have several types, such as bin_t, that have file contexts related to other modules, e.g.: /etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) relate to acpi and mailman. Should we continue to put all of the bin_t labeling in files.cas or should we split it back to the individual modules? This was originally done in refpolicy2 so users could look in a single place for everything about bin_t for encapsulation. This is nice for users, but not so nice for maintenance and version control. Since cascade has the "extend" feature, we can split up the labeling among relevant modules, and tooling can construct a single unified view of the file contexts of bin_t and the like. For example, instead of this in file.cas: resource bin_t inherits executable { ...many fcs... file_context(/etc/acpi/actions(/.*)?, any); } we have this in acpi.cas: extend bin_t { file_context(/etc/acpi/actions(/.*)?, any); } Thoughts? -- Chris PeBenito