Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1532413rdb; Mon, 2 Oct 2023 12:29:42 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFHZGb0iWyzOnf1eYHQ6v0OvjZxMoSWZaMWAu3ZsDTMcPHpfUjhfNWF0es4h5ns04/4lZk0 X-Received: by 2002:a05:6a00:1a0e:b0:68f:b3ed:7d56 with SMTP id g14-20020a056a001a0e00b0068fb3ed7d56mr10612969pfv.34.1696274982616; Mon, 02 Oct 2023 12:29:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696274982; cv=none; d=google.com; s=arc-20160816; b=W2J5mkvBD8A60QFpMT1q9MefNo5D5sEDCE4O6Ri/Fqkny9pMlrqhhPtkgfLRKH246H j14KWzk94UOzMOTYwF6kc0ho+frEsXThlwi3oBQP59reulKfNR8K6VfhdqwUUF3YPBuN JL477BQY4A6X9XAcSIdmbWfxH+K6qHQHtZvYUkLl/UZp7Ob8qE+3PxvEohY/u6JpdvZw Oaynr5PCqIYbZARf5Z2fbyBtIebqhG+TDFVmCcR5S5Et85LBwg4yc4NzI5Y1JxD0XS0o uxDQ6uN8UG6SZ4xm+zgjRTvfef+F84tizHmdjkkLC8gk/CNbd99pAzrhS5TieR9f3QMw af/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:to:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=eGkTs033Nhtqqkxni9I1OTECqvMIcMNGRH0FFmrrwOw=; fh=7oqqdPXzSxfzqiU+yuATkVbdYJ9+/HqNIMngroJ+jK8=; b=GMTwgvr0ICa9PNrtpjC1GO3Vr4Fy+VTEaSHyeTlfyjbmi5KLFx+3Op7W1kUJsT92bB 54ONtn7/GES6+USmeTpvFp/4Z/MGr45usD606zFq5xRBtsAkoJHn+3HWeblpqVWzOxJX FAVpAuYHE9e1a23vKERcJfy6Hz/sdt8UQR15s6sUfeQEZAZyrgSxyz57Dt8yaeg77ift /IHhVTGlcpRcIHMD6e7YcWnz/Bdxkm1Yo0vgD+QL+BG+mIt7eQQ7RpX0BVkjS+3pFhAf +YaAxAy/e16H48HuTdFph3rj7UYuGYENRF3reKG8KCEjRyzOPxT1Ezep4/LRpZ+LtFOB 3a4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=JGFwTSk2; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id h11-20020a65480b000000b00585a0251dfcsi5078660pgs.247.2023.10.02.12.29.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 12:29:42 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=JGFwTSk2; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 7B3638080D71; Mon, 2 Oct 2023 05:41:07 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236804AbjJBMk6 (ORCPT + 22 others); Mon, 2 Oct 2023 08:40:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231138AbjJBMk6 (ORCPT ); Mon, 2 Oct 2023 08:40:58 -0400 Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50EB6A6 for ; Mon, 2 Oct 2023 05:40:54 -0700 (PDT) Received: by mail-qv1-xf32.google.com with SMTP id 6a1803df08f44-65afba4cfadso84698626d6.1 for ; Mon, 02 Oct 2023 05:40:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; t=1696250453; x=1696855253; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=eGkTs033Nhtqqkxni9I1OTECqvMIcMNGRH0FFmrrwOw=; b=JGFwTSk2lZZCYaQtIhvQBD8D6YtOk2N32Xd80ZdAnc9u20GR120FNIrAqhSyXY1pAM 48IxZf9ZTYHm/73ycNMIjK8P/xwSJ7dznFIFdCYyFhQwjZD2+D9RO2FxIf7i+gpI/21+ wIym9n5O1xXxf+/ESeVnBld6xv8V55GMz3AVw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696250453; x=1696855253; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eGkTs033Nhtqqkxni9I1OTECqvMIcMNGRH0FFmrrwOw=; b=o9uQpkUMii4RACFeECLXEYB8VNiY0U/DiggiVVeeJD0ZlrfRZNGpCqbehtqqd0hCxz DMdZ5yHzLRAyhfA/f9QuYP4dMx0fCvwyail7OPisGt7JFI3Vqgbjq+rBAvnvmkjmye1a 6ha5TrSGQIlsfRavCTq/lsI/HCpkIA3Ofdy2Lr9Avc4lRWwL+yitHtePTwx74gWX+hX/ CeKiaEv7kmF6ETnace5tYs2zjgIdAIKRggQ8Lw5EwFS/2WFKUCMXZPuBERajglB+NH2D d/LTsEsIoeXcoq+gM2cr1h43UsHwDNkwuvcB7sEe8iJYHe+q5TBs5X51nxs+mU4EpLQk /lGg== X-Gm-Message-State: AOJu0YwFMKnTyZeDtVzY4LRpQ5BIL+XePB4ZG0e/IVfbhNCK9mG7Mrs5 RJdSq8qS5/xwhKwvVL7325ZizG8tmyuyM2vUxBw= X-Received: by 2002:a0c:b39e:0:b0:65a:fe44:d9cb with SMTP id t30-20020a0cb39e000000b0065afe44d9cbmr8814978qve.37.1696250453303; Mon, 02 Oct 2023 05:40:53 -0700 (PDT) Received: from ?IPV6:2601:145:c200:a0a:fcbe:4ac2:d85f:c566? ([2601:145:c200:a0a:fcbe:4ac2:d85f:c566]) by smtp.gmail.com with ESMTPSA id y1-20020a056214016100b00668eb252523sm142297qvs.63.2023.10.02.05.40.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 Oct 2023 05:40:52 -0700 (PDT) Message-ID: <9629e26a-381b-5482-1493-ac3387616507@ieee.org> Date: Mon, 2 Oct 2023 08:40:50 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: append_lnk_files_pattern To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <4932293.0VBMTVartN@cupcakke> Content-Language: en-US From: Chris PeBenito In-Reply-To: <4932293.0VBMTVartN@cupcakke> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 02 Oct 2023 05:41:07 -0700 (PDT) On 9/30/2023 7:55 AM, Russell Coker wrote: > Why do we have the pattern append_lnk_files_pattern? It's not used anywhere > in refpolicy along with write_lnk_files_pattern. The sesearch command shows > only the following uses of append permission for lnk_file. More than likely it's simply a copy-paste when I first generated the macros. > # sesearch -A -c lnk_file -p append > allow files_unconfined_type file_type:lnk_file { append create execmod execute > getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto > rename setattr unlink watch write }; > allow filesystem_unconfined_type filesystem_type:lnk_file { append create > execmod execute getattr ioctl link lock map mounton open quotaon read > relabelfrom relabelto rename setattr unlink watch write }; > allow kern_unconfined proc_type:lnk_file { append create execmod execute > getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto > rename setattr unlink watch write }; > allow kern_unconfined unlabeled_t:lnk_file { append create execmod execute > getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto > rename setattr unlink watch write }; > > I guess that the kern_unconfined stuff is related to the magic symlinks in / > proc/PID directories. Is there any other way where a symlink can be appended? > > Does it make sense to have the append macros and the write macros with append > permission included? The way I see it (and how the various perm macros are designed), if a rule has write, then append is also implied. Append may not make sense for lnk_file, but I don't see a downside to having it. -- Chris PeBenito