The *_except interfaces expect the caller to call it like this:
files_read_all_dirs_except(foo_t, - bar_t)
This makes the call argument hard to deal with because it is neither a
type nor a set. Also an argument like $2 -shadow_t could either be a
set or an MLS range.
The *_except interfaces are never used except for in the *_except_shadow
interfaces. The calls to the *_except_shadow interfaces never specify a
second argument.
files_manage_all_files is called only in portage.te (with no exception)
and authlogin.if.
---
policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
policy/modules/system/authlogin.if | 10 ++--
2 files changed, 79 insertions(+), 23 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..9212dea 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
attribute file_type;
')
- allow $1 { file_type $2 }:dir list_dir_perms;
+ allow $1 { file_type - $2 }:dir list_dir_perms;
')
########################################
@@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
attribute file_type;
')
- read_files_pattern($1, { file_type $2 }, { file_type $2 })
+ read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
')
########################################
@@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
attribute file_type;
')
- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
')
########################################
@@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
########################################
## <summary>
+## Relabel all files on the filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type : dir list_dir_perms;
+ relabel_dirs_pattern($1, file_type, file_type)
+ relabel_files_pattern($1, file_type, file_type)
+ relabel_lnk_files_pattern($1, file_type, file_type)
+ relabel_fifo_files_pattern($1, file_type, file_type)
+ relabel_sock_files_pattern($1, file_type, file_type)
+ relabelfrom_blk_files_pattern($1, file_type, file_type)
+ relabelfrom_chr_files_pattern($1, file_type, file_type)
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
## Relabel all files on the filesystem, except
## the listed exceptions.
## </summary>
@@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
## </param>
## <rolecap/>
#
-interface(`files_relabel_all_files',`
+interface(`files_relabel_all_files_except',`
gen_require(`
attribute file_type;
')
- allow $1 { file_type $2 }:dir list_dir_perms;
- relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ allow $1 { file_type - $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# this is only relabelfrom since there should be no
# device nodes with file types.
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
########################################
## <summary>
+## Manage all files on the filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ manage_dirs_pattern($1, file_type, file_type)
+ manage_files_pattern($1, file_type, file_type)
+ manage_lnk_files_pattern($1, file_type, file_type)
+ manage_fifo_files_pattern($1, file_type, file_type)
+ manage_sock_files_pattern($1, file_type, file_type)
+
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
## Manage all files on the filesystem, except
## the listed exceptions.
## </summary>
@@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
## </param>
## <rolecap/>
#
-interface(`files_manage_all_files',`
+interface(`files_manage_all_files_except',`
gen_require(`
attribute file_type;
')
- manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
- manage_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# satisfy the assertions:
seutil_create_bin_policy($1)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 7fddc24..c116df6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
type shadow_t;
')
- files_read_all_dirs_except($1,$2 -shadow_t)
+ files_read_all_dirs_except($1, shadow_t)
')
########################################
@@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
type shadow_t;
')
- files_read_all_files_except($1,$2 -shadow_t)
+ files_read_all_files_except($1, shadow_t)
')
########################################
@@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
type shadow_t;
')
- files_read_all_symlinks_except($1,$2 -shadow_t)
+ files_read_all_symlinks_except($1, shadow_t)
')
########################################
@@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
type shadow_t;
')
- files_relabel_all_files($1,$2 -shadow_t)
+ files_relabel_all_files_except($1, shadow_t)
')
########################################
@@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
type shadow_t;
')
- files_manage_all_files($1,$2 -shadow_t)
+ files_manage_all_files_except($1, shadow_t)
')
########################################
--
James Carter <[email protected]>
National Security Agency
On 08/24/10 15:50, James Carter wrote:
> The *_except interfaces expect the caller to call it like this:
> files_read_all_dirs_except(foo_t, - bar_t)
>
> This makes the call argument hard to deal with because it is neither a
> type nor a set. Also an argument like $2 -shadow_t could either be a
> set or an MLS range.
>
> The *_except interfaces are never used except for in the *_except_shadow
> interfaces. The calls to the *_except_shadow interfaces never specify a
> second argument.
>
> files_manage_all_files is called only in portage.te (with no exception)
> and authlogin.if.
Theres two issues with this change:
1. It breaks API stability.
2. It doesn't work if you want to specify a set, e.g.
files_read_all_dirs_except(foo_t, { bar_t baz_t })
> ---
> policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
> policy/modules/system/authlogin.if | 10 ++--
> 2 files changed, 79 insertions(+), 23 deletions(-)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 5302dac..9212dea 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> attribute file_type;
> ')
>
> - allow $1 { file_type $2 }:dir list_dir_perms;
> + allow $1 { file_type - $2 }:dir list_dir_perms;
> ')
>
> ########################################
> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> attribute file_type;
> ')
>
> - read_files_pattern($1, { file_type $2 }, { file_type $2 })
> + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> ')
>
> ########################################
> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> attribute file_type;
> ')
>
> - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> ')
>
> ########################################
> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
>
> ########################################
> ##<summary>
> +## Relabel all files on the filesystem
> +##</summary>
> +##<param name="domain">
> +##<summary>
> +## The type of the domain perfoming this action.
> +##</summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`files_relabel_all_files',`
> + gen_require(`
> + attribute file_type;
> + ')
> +
> + allow $1 file_type : dir list_dir_perms;
> + relabel_dirs_pattern($1, file_type, file_type)
> + relabel_files_pattern($1, file_type, file_type)
> + relabel_lnk_files_pattern($1, file_type, file_type)
> + relabel_fifo_files_pattern($1, file_type, file_type)
> + relabel_sock_files_pattern($1, file_type, file_type)
> + relabelfrom_blk_files_pattern($1, file_type, file_type)
> + relabelfrom_chr_files_pattern($1, file_type, file_type)
> +
> + # satisfy the assertions:
> + seutil_relabelto_bin_policy($1)
> +')
> +
> +########################################
> +##<summary>
> ## Relabel all files on the filesystem, except
> ## the listed exceptions.
> ##</summary>
> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> ##</param>
> ##<rolecap/>
> #
> -interface(`files_relabel_all_files',`
> +interface(`files_relabel_all_files_except',`
> gen_require(`
> attribute file_type;
> ')
>
> - allow $1 { file_type $2 }:dir list_dir_perms;
> - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> + allow $1 { file_type - $2 }:dir list_dir_perms;
> + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> # this is only relabelfrom since there should be no
> # device nodes with file types.
> - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>
> # satisfy the assertions:
> seutil_relabelto_bin_policy($1)
> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
>
> ########################################
> ##<summary>
> +## Manage all files on the filesystem.
> +##</summary>
> +##<param name="domain">
> +##<summary>
> +## The type of the domain perfoming this action.
> +##</summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`files_manage_all_files',`
> + gen_require(`
> + attribute file_type;
> + ')
> +
> + manage_dirs_pattern($1, file_type, file_type)
> + manage_files_pattern($1, file_type, file_type)
> + manage_lnk_files_pattern($1, file_type, file_type)
> + manage_fifo_files_pattern($1, file_type, file_type)
> + manage_sock_files_pattern($1, file_type, file_type)
> +
> + # satisfy the assertions:
> + seutil_create_bin_policy($1)
> + files_manage_kernel_modules($1)
> +')
> +
> +########################################
> +##<summary>
> ## Manage all files on the filesystem, except
> ## the listed exceptions.
> ##</summary>
> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> ##</param>
> ##<rolecap/>
> #
> -interface(`files_manage_all_files',`
> +interface(`files_manage_all_files_except',`
> gen_require(`
> attribute file_type;
> ')
>
> - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>
> # satisfy the assertions:
> seutil_create_bin_policy($1)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 7fddc24..c116df6 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> type shadow_t;
> ')
>
> - files_read_all_dirs_except($1,$2 -shadow_t)
> + files_read_all_dirs_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> type shadow_t;
> ')
>
> - files_read_all_files_except($1,$2 -shadow_t)
> + files_read_all_files_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> type shadow_t;
> ')
>
> - files_read_all_symlinks_except($1,$2 -shadow_t)
> + files_read_all_symlinks_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> type shadow_t;
> ')
>
> - files_relabel_all_files($1,$2 -shadow_t)
> + files_relabel_all_files_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> type shadow_t;
> ')
>
> - files_manage_all_files($1,$2 -shadow_t)
> + files_manage_all_files_except($1, shadow_t)
> ')
>
> ########################################
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > The *_except interfaces expect the caller to call it like this:
> > files_read_all_dirs_except(foo_t, - bar_t)
> >
> > This makes the call argument hard to deal with because it is neither a
> > type nor a set. Also an argument like $2 -shadow_t could either be a
> > set or an MLS range.
> >
> > The *_except interfaces are never used except for in the *_except_shadow
> > interfaces. The calls to the *_except_shadow interfaces never specify a
> > second argument.
> >
> > files_manage_all_files is called only in portage.te (with no exception)
> > and authlogin.if.
>
> Theres two issues with this change:
>
> 1. It breaks API stability.
That may be true, but the current interface makes no sense to me. If I
use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
access to file_type and bar_t. It doesn't exclude anything.
> 2. It doesn't work if you want to specify a set, e.g.
>
> files_read_all_dirs_except(foo_t, { bar_t baz_t })
>
Why doesn't that work? Doesn't that give
{ file_type - { bar_t baz_t } }?
Again, if you don't like the changes, that's fine. It is just something
that will have to be worked around. Any changes that you do accept just
makes life a easier.
> > ---
> > policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
> > policy/modules/system/authlogin.if | 10 ++--
> > 2 files changed, 79 insertions(+), 23 deletions(-)
> >
> > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> > index 5302dac..9212dea 100644
> > --- a/policy/modules/kernel/files.if
> > +++ b/policy/modules/kernel/files.if
> > @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> > attribute file_type;
> > ')
> >
> > - allow $1 { file_type $2 }:dir list_dir_perms;
> > + allow $1 { file_type - $2 }:dir list_dir_perms;
> > ')
> >
> > ########################################
> > @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> > attribute file_type;
> > ')
> >
> > - read_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > ')
> >
> > ########################################
> > @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> > attribute file_type;
> > ')
> >
> > - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > ')
> >
> > ########################################
> > @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >
> > ########################################
> > ##<summary>
> > +## Relabel all files on the filesystem
> > +##</summary>
> > +##<param name="domain">
> > +##<summary>
> > +## The type of the domain perfoming this action.
> > +##</summary>
> > +##</param>
> > +##<rolecap/>
> > +#
> > +interface(`files_relabel_all_files',`
> > + gen_require(`
> > + attribute file_type;
> > + ')
> > +
> > + allow $1 file_type : dir list_dir_perms;
> > + relabel_dirs_pattern($1, file_type, file_type)
> > + relabel_files_pattern($1, file_type, file_type)
> > + relabel_lnk_files_pattern($1, file_type, file_type)
> > + relabel_fifo_files_pattern($1, file_type, file_type)
> > + relabel_sock_files_pattern($1, file_type, file_type)
> > + relabelfrom_blk_files_pattern($1, file_type, file_type)
> > + relabelfrom_chr_files_pattern($1, file_type, file_type)
> > +
> > + # satisfy the assertions:
> > + seutil_relabelto_bin_policy($1)
> > +')
> > +
> > +########################################
> > +##<summary>
> > ## Relabel all files on the filesystem, except
> > ## the listed exceptions.
> > ##</summary>
> > @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> > ##</param>
> > ##<rolecap/>
> > #
> > -interface(`files_relabel_all_files',`
> > +interface(`files_relabel_all_files_except',`
> > gen_require(`
> > attribute file_type;
> > ')
> >
> > - allow $1 { file_type $2 }:dir list_dir_perms;
> > - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + allow $1 { file_type - $2 }:dir list_dir_perms;
> > + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > # this is only relabelfrom since there should be no
> > # device nodes with file types.
> > - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> > # satisfy the assertions:
> > seutil_relabelto_bin_policy($1)
> > @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >
> > ########################################
> > ##<summary>
> > +## Manage all files on the filesystem.
> > +##</summary>
> > +##<param name="domain">
> > +##<summary>
> > +## The type of the domain perfoming this action.
> > +##</summary>
> > +##</param>
> > +##<rolecap/>
> > +#
> > +interface(`files_manage_all_files',`
> > + gen_require(`
> > + attribute file_type;
> > + ')
> > +
> > + manage_dirs_pattern($1, file_type, file_type)
> > + manage_files_pattern($1, file_type, file_type)
> > + manage_lnk_files_pattern($1, file_type, file_type)
> > + manage_fifo_files_pattern($1, file_type, file_type)
> > + manage_sock_files_pattern($1, file_type, file_type)
> > +
> > + # satisfy the assertions:
> > + seutil_create_bin_policy($1)
> > + files_manage_kernel_modules($1)
> > +')
> > +
> > +########################################
> > +##<summary>
> > ## Manage all files on the filesystem, except
> > ## the listed exceptions.
> > ##</summary>
> > @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> > ##</param>
> > ##<rolecap/>
> > #
> > -interface(`files_manage_all_files',`
> > +interface(`files_manage_all_files_except',`
> > gen_require(`
> > attribute file_type;
> > ')
> >
> > - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> > # satisfy the assertions:
> > seutil_create_bin_policy($1)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index 7fddc24..c116df6 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_read_all_dirs_except($1,$2 -shadow_t)
> > + files_read_all_dirs_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_read_all_files_except($1,$2 -shadow_t)
> > + files_read_all_files_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_read_all_symlinks_except($1,$2 -shadow_t)
> > + files_read_all_symlinks_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_relabel_all_files($1,$2 -shadow_t)
> > + files_relabel_all_files_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_manage_all_files($1,$2 -shadow_t)
> > + files_manage_all_files_except($1, shadow_t)
> > ')
> >
> > ########################################
> >
>
>
--
James Carter <[email protected]>
National Security Agency
On 08/25/10 10:19, James Carter wrote:
> On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
>> On 08/24/10 15:50, James Carter wrote:
>>> The *_except interfaces expect the caller to call it like this:
>>> files_read_all_dirs_except(foo_t, - bar_t)
>>>
>>> This makes the call argument hard to deal with because it is neither a
>>> type nor a set. Also an argument like $2 -shadow_t could either be a
>>> set or an MLS range.
>>>
>>> The *_except interfaces are never used except for in the *_except_shadow
>>> interfaces. The calls to the *_except_shadow interfaces never specify a
>>> second argument.
>>>
>>> files_manage_all_files is called only in portage.te (with no exception)
>>> and authlogin.if.
>>
>> Theres two issues with this change:
>>
>> 1. It breaks API stability.
>
> That may be true, but the current interface makes no sense to me. If I
> use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> access to file_type and bar_t. It doesn't exclude anything.
>
>> 2. It doesn't work if you want to specify a set, e.g.
>>
>> files_read_all_dirs_except(foo_t, { bar_t baz_t })
>>
> Why doesn't that work? Doesn't that give
> { file_type - { bar_t baz_t } }?
I didn't think that was valid. Is it?
> Again, if you don't like the changes, that's fine. It is just something
> that will have to be worked around. Any changes that you do accept just
> makes life a easier.
I'd like to get rid of the interfaces completely. I just haven't come
up with a better way of getting { files_type -shadow_t } without
breaking encapsulation. Perhaps we just have to rethink the access or
concept.
>>> ---
>>> policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
>>> policy/modules/system/authlogin.if | 10 ++--
>>> 2 files changed, 79 insertions(+), 23 deletions(-)
>>>
>>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
>>> index 5302dac..9212dea 100644
>>> --- a/policy/modules/kernel/files.if
>>> +++ b/policy/modules/kernel/files.if
>>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - allow $1 { file_type $2 }:dir list_dir_perms;
>>> + allow $1 { file_type - $2 }:dir list_dir_perms;
>>> ')
>>>
>>> ########################################
>>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - read_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> ')
>>>
>>> ########################################
>>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> ')
>>>
>>> ########################################
>>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
>>>
>>> ########################################
>>> ##<summary>
>>> +## Relabel all files on the filesystem
>>> +##</summary>
>>> +##<param name="domain">
>>> +##<summary>
>>> +## The type of the domain perfoming this action.
>>> +##</summary>
>>> +##</param>
>>> +##<rolecap/>
>>> +#
>>> +interface(`files_relabel_all_files',`
>>> + gen_require(`
>>> + attribute file_type;
>>> + ')
>>> +
>>> + allow $1 file_type : dir list_dir_perms;
>>> + relabel_dirs_pattern($1, file_type, file_type)
>>> + relabel_files_pattern($1, file_type, file_type)
>>> + relabel_lnk_files_pattern($1, file_type, file_type)
>>> + relabel_fifo_files_pattern($1, file_type, file_type)
>>> + relabel_sock_files_pattern($1, file_type, file_type)
>>> + relabelfrom_blk_files_pattern($1, file_type, file_type)
>>> + relabelfrom_chr_files_pattern($1, file_type, file_type)
>>> +
>>> + # satisfy the assertions:
>>> + seutil_relabelto_bin_policy($1)
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> ## Relabel all files on the filesystem, except
>>> ## the listed exceptions.
>>> ##</summary>
>>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
>>> ##</param>
>>> ##<rolecap/>
>>> #
>>> -interface(`files_relabel_all_files',`
>>> +interface(`files_relabel_all_files_except',`
>>> gen_require(`
>>> attribute file_type;
>>> ')
>>>
>>> - allow $1 { file_type $2 }:dir list_dir_perms;
>>> - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + allow $1 { file_type - $2 }:dir list_dir_perms;
>>> + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> # this is only relabelfrom since there should be no
>>> # device nodes with file types.
>>> - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>> # satisfy the assertions:
>>> seutil_relabelto_bin_policy($1)
>>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
>>>
>>> ########################################
>>> ##<summary>
>>> +## Manage all files on the filesystem.
>>> +##</summary>
>>> +##<param name="domain">
>>> +##<summary>
>>> +## The type of the domain perfoming this action.
>>> +##</summary>
>>> +##</param>
>>> +##<rolecap/>
>>> +#
>>> +interface(`files_manage_all_files',`
>>> + gen_require(`
>>> + attribute file_type;
>>> + ')
>>> +
>>> + manage_dirs_pattern($1, file_type, file_type)
>>> + manage_files_pattern($1, file_type, file_type)
>>> + manage_lnk_files_pattern($1, file_type, file_type)
>>> + manage_fifo_files_pattern($1, file_type, file_type)
>>> + manage_sock_files_pattern($1, file_type, file_type)
>>> +
>>> + # satisfy the assertions:
>>> + seutil_create_bin_policy($1)
>>> + files_manage_kernel_modules($1)
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> ## Manage all files on the filesystem, except
>>> ## the listed exceptions.
>>> ##</summary>
>>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
>>> ##</param>
>>> ##<rolecap/>
>>> #
>>> -interface(`files_manage_all_files',`
>>> +interface(`files_manage_all_files_except',`
>>> gen_require(`
>>> attribute file_type;
>>> ')
>>>
>>> - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>> # satisfy the assertions:
>>> seutil_create_bin_policy($1)
>>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
>>> index 7fddc24..c116df6 100644
>>> --- a/policy/modules/system/authlogin.if
>>> +++ b/policy/modules/system/authlogin.if
>>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_dirs_except($1,$2 -shadow_t)
>>> + files_read_all_dirs_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_files_except($1,$2 -shadow_t)
>>> + files_read_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_symlinks_except($1,$2 -shadow_t)
>>> + files_read_all_symlinks_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_relabel_all_files($1,$2 -shadow_t)
>>> + files_relabel_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_manage_all_files($1,$2 -shadow_t)
>>> + files_manage_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>>
>>
>>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 2010-08-25 at 11:56 -0400, Christopher J. PeBenito wrote:
> On 08/25/10 10:19, James Carter wrote:
> > On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> >> On 08/24/10 15:50, James Carter wrote:
> >>> The *_except interfaces expect the caller to call it like this:
> >>> files_read_all_dirs_except(foo_t, - bar_t)
> >>>
> >>> This makes the call argument hard to deal with because it is neither a
> >>> type nor a set. Also an argument like $2 -shadow_t could either be a
> >>> set or an MLS range.
> >>>
> >>> The *_except interfaces are never used except for in the *_except_shadow
> >>> interfaces. The calls to the *_except_shadow interfaces never specify a
> >>> second argument.
> >>>
> >>> files_manage_all_files is called only in portage.te (with no exception)
> >>> and authlogin.if.
> >>
> >> Theres two issues with this change:
> >>
> >> 1. It breaks API stability.
> >
> > That may be true, but the current interface makes no sense to me. If I
> > use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> > access to file_type and bar_t. It doesn't exclude anything.
> >
> >> 2. It doesn't work if you want to specify a set, e.g.
> >>
> >> files_read_all_dirs_except(foo_t, { bar_t baz_t })
> >>
> > Why doesn't that work? Doesn't that give
> > { file_type - { bar_t baz_t } }?
>
> I didn't think that was valid. Is it?
You're right. It's not valid. I didn't realize the set expressions
were that limited. And I went through all that trouble making sure that
my parser could handle arbitrary set expressions.
>
> > Again, if you don't like the changes, that's fine. It is just something
> > that will have to be worked around. Any changes that you do accept just
> > makes life a easier.
>
> I'd like to get rid of the interfaces completely. I just haven't come
> up with a better way of getting { files_type -shadow_t } without
> breaking encapsulation. Perhaps we just have to rethink the access or
> concept.
>
The interfaces are only used in Refpolicy for shadow_t. If special
interfaces could be made for shadow_t, while retaining the old ones for
compatibility, then at least Refpolicy itself would not have "-shadow_t"
as an argument. That would help a bunch.
> >>> ---
> >>> policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
> >>> policy/modules/system/authlogin.if | 10 ++--
> >>> 2 files changed, 79 insertions(+), 23 deletions(-)
> >>>
> >>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> >>> index 5302dac..9212dea 100644
> >>> --- a/policy/modules/kernel/files.if
> >>> +++ b/policy/modules/kernel/files.if
> >>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - allow $1 { file_type $2 }:dir list_dir_perms;
> >>> + allow $1 { file_type - $2 }:dir list_dir_perms;
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - read_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >>>
> >>> ########################################
> >>> ##<summary>
> >>> +## Relabel all files on the filesystem
> >>> +##</summary>
> >>> +##<param name="domain">
> >>> +##<summary>
> >>> +## The type of the domain perfoming this action.
> >>> +##</summary>
> >>> +##</param>
> >>> +##<rolecap/>
> >>> +#
> >>> +interface(`files_relabel_all_files',`
> >>> + gen_require(`
> >>> + attribute file_type;
> >>> + ')
> >>> +
> >>> + allow $1 file_type : dir list_dir_perms;
> >>> + relabel_dirs_pattern($1, file_type, file_type)
> >>> + relabel_files_pattern($1, file_type, file_type)
> >>> + relabel_lnk_files_pattern($1, file_type, file_type)
> >>> + relabel_fifo_files_pattern($1, file_type, file_type)
> >>> + relabel_sock_files_pattern($1, file_type, file_type)
> >>> + relabelfrom_blk_files_pattern($1, file_type, file_type)
> >>> + relabelfrom_chr_files_pattern($1, file_type, file_type)
> >>> +
> >>> + # satisfy the assertions:
> >>> + seutil_relabelto_bin_policy($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##<summary>
> >>> ## Relabel all files on the filesystem, except
> >>> ## the listed exceptions.
> >>> ##</summary>
> >>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> >>> ##</param>
> >>> ##<rolecap/>
> >>> #
> >>> -interface(`files_relabel_all_files',`
> >>> +interface(`files_relabel_all_files_except',`
> >>> gen_require(`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - allow $1 { file_type $2 }:dir list_dir_perms;
> >>> - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + allow $1 { file_type - $2 }:dir list_dir_perms;
> >>> + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> # this is only relabelfrom since there should be no
> >>> # device nodes with file types.
> >>> - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>> # satisfy the assertions:
> >>> seutil_relabelto_bin_policy($1)
> >>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >>>
> >>> ########################################
> >>> ##<summary>
> >>> +## Manage all files on the filesystem.
> >>> +##</summary>
> >>> +##<param name="domain">
> >>> +##<summary>
> >>> +## The type of the domain perfoming this action.
> >>> +##</summary>
> >>> +##</param>
> >>> +##<rolecap/>
> >>> +#
> >>> +interface(`files_manage_all_files',`
> >>> + gen_require(`
> >>> + attribute file_type;
> >>> + ')
> >>> +
> >>> + manage_dirs_pattern($1, file_type, file_type)
> >>> + manage_files_pattern($1, file_type, file_type)
> >>> + manage_lnk_files_pattern($1, file_type, file_type)
> >>> + manage_fifo_files_pattern($1, file_type, file_type)
> >>> + manage_sock_files_pattern($1, file_type, file_type)
> >>> +
> >>> + # satisfy the assertions:
> >>> + seutil_create_bin_policy($1)
> >>> + files_manage_kernel_modules($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##<summary>
> >>> ## Manage all files on the filesystem, except
> >>> ## the listed exceptions.
> >>> ##</summary>
> >>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> >>> ##</param>
> >>> ##<rolecap/>
> >>> #
> >>> -interface(`files_manage_all_files',`
> >>> +interface(`files_manage_all_files_except',`
> >>> gen_require(`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>> # satisfy the assertions:
> >>> seutil_create_bin_policy($1)
> >>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> >>> index 7fddc24..c116df6 100644
> >>> --- a/policy/modules/system/authlogin.if
> >>> +++ b/policy/modules/system/authlogin.if
> >>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_read_all_dirs_except($1,$2 -shadow_t)
> >>> + files_read_all_dirs_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_read_all_files_except($1,$2 -shadow_t)
> >>> + files_read_all_files_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_read_all_symlinks_except($1,$2 -shadow_t)
> >>> + files_read_all_symlinks_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_relabel_all_files($1,$2 -shadow_t)
> >>> + files_relabel_all_files_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_manage_all_files($1,$2 -shadow_t)
> >>> + files_manage_all_files_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>>
> >>
> >>
> >
>
>
--
James Carter <[email protected]>
National Security Agency