Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2993412rwb; Fri, 9 Dec 2022 08:40:33 -0800 (PST) X-Google-Smtp-Source: AA0mqf5/rCQ/JoqR54qd/3o9btMg3qNA8A+/OIUWcwijg1YuErQhz8z5pZ03IMA5vzkodlODpWeh X-Received: by 2002:a17:90a:5513:b0:218:7c21:1680 with SMTP id b19-20020a17090a551300b002187c211680mr6502661pji.13.1670604032931; Fri, 09 Dec 2022 08:40:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670604032; cv=none; d=google.com; s=arc-20160816; b=xZvBeikzHTLTKIXeQq5jSFhReYS60MtpAKlOO9geLmEPhjS3pQpkW6A9kkSPwy2Kju eZvojq6guqHs7kymMtqpePpubmVxoUs19trpRxRlptYLn1bDT5zc7emfGGsAHg6Zbtkt VplCBnel8og9Fm2oi5mKPe3NWJmBfjlR/E5WloVcun5kVSb3n6AhO5wWhykWMcVzdAXE 6SgcASiaRJd1+5OwJJ0hk9lJhsUW0d4wxx+MJpd1bHwQnNZDIkxzsNgnqowvvPqkmb5h ps73LQAWV25EBU+0KW0DPDVYhE5BPcqArvEPbMj6dI0Rt8vpddzbqf5IFOJ+TaU+2mWq WwPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-filter; bh=0jMIx88h53CDm+rzYbezxJEiroNeJv0850cmuo5ZijU=; b=VHg9Clsdzs0OyUyb/sx5SMc+8mxT50OJIY24pdSwJ6WYVtZPQWN36bNWh8s8Blet54 1HgiKvUbm4V0qlBXQZ0g0jWS/UUz2x+LujQ2Pnqtr6Fu9NVI9rND8dpERhBltxvzu7/g eolyn0ytjQwPOvgC2JwiEjwxb1ZT9imdSxDAwv5+VcMtUulaKQabTdKMQTiqzBo51CQP hnc9EJ5wBoPqTfIvv5zoPu6EqtvaazZ7ykHSF1XdbSiTv51mtgNsebe5bATda30wzMQ3 N0dYQTJmbaT6cYr5tWmGzJaUTOmtG4cG4zm1Je/Xp7fr1iUHoKvVw9/ko+v1LaVhvk43 e/ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Tdjwj779; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v62-20020a638941000000b00476c9ad73b6si1859156pgd.44.2022.12.09.08.40.27; Fri, 09 Dec 2022 08:40:32 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Tdjwj779; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229563AbiLIQ3T (ORCPT + 21 others); Fri, 9 Dec 2022 11:29:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229470AbiLIQ3T (ORCPT ); Fri, 9 Dec 2022 11:29:19 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7097D85D0B for ; Fri, 9 Dec 2022 08:29:18 -0800 (PST) Received: from [192.168.1.108] (ip98-168-40-103.ph.ph.cox.net [98.168.40.103]) by linux.microsoft.com (Postfix) with ESMTPSA id 1A78720B6C40; Fri, 9 Dec 2022 08:29:18 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 1A78720B6C40 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1670603358; bh=0jMIx88h53CDm+rzYbezxJEiroNeJv0850cmuo5ZijU=; h=Date:Subject:To:References:From:In-Reply-To:From; b=Tdjwj779kvFsTfaUxjki1VEoAYZvaAcKGvjkHay5U/tnmFo1+2DA0TBqMcupqHAkP McPa0U+R/umlijTkaTZNmf55p0kEm9bC70SjRt2GulLWUMRa6i0wwrtlcOs81SIK3D gOWkSWvDhG2uw2OqzGfGLAEZBr9DIrwdXF2pZyCY= Message-ID: <0397bf1e-415f-b045-5a6d-c12fde48a65a@linux.microsoft.com> Date: Fri, 9 Dec 2022 09:29:16 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [refpolicy3 RFC] Split broad file contexts Content-Language: en-US To: Chris PeBenito , SELinux Reference Policy mailing list References: From: Matthew Sheets In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-20.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/9/2022 9:09 AM, Chris PeBenito wrote: > In refpolicy2, we have several types, such as bin_t, that have file > contexts related to other modules, e.g.: > > /etc/acpi/actions(/.*)?            gen_context(system_u:object_r:bin_t,s0) > > /usr/lib/mailman/bin(/.*)?        gen_context(system_u:object_r:bin_t,s0) > > /var/mailman/bin(/.*)?            gen_context(system_u:object_r:bin_t,s0) > > > relate to acpi and mailman. > > Should we continue to put all of the bin_t labeling in files.cas or > should we split it back to the individual modules?  This was originally > done in refpolicy2 so users could look in a single place for everything > about bin_t for encapsulation.  This is nice for users, but not so nice > for maintenance and version control. > > Since cascade has the "extend" feature, we can split up the labeling > among relevant modules, and tooling can construct a single unified view > of the file contexts of bin_t and the like. > > For example, instead of this in file.cas: > > resource bin_t inherits executable { >   ...many fcs... >   file_context(/etc/acpi/actions(/.*)?, any); > } > > we have this in acpi.cas: > > extend bin_t { >   file_context(/etc/acpi/actions(/.*)?, any); > } > > > Thoughts? > > If I turn of a module I want as little residue as possible in other modules. I think using extend is the best option. Keep all relative types and labeling in the singular module so if it is not used we heavily reduce the possibility of unexpected labeling/access. The users should understand that a single cas file does not define the whole policy, so if they see something that may be "off" with labeling they may need to look further. And with the new tooling, looking further should be easy.