Back in the older days, role type statements automatically declared the role. This was later changed.
I expect that these macro date from that period and that they should be updated to declare the role.
---
policy/modules/system/userdomain.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5f71587..9269135 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,11 +27,11 @@ template(`userdom_base_user_template',`
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
- role $1_r;
')
attribute $1_file_type;
+ role $1_r;
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
--
2.3.6
On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> Back in the older days, role type statements automatically declared the role. This was later changed.
>
> I expect that these macro date from that period and that they should be updated to declare the role.
This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
just want to hear opinions
> ---
> policy/modules/system/userdomain.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 5f71587..9269135 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -27,11 +27,11 @@ template(`userdom_base_user_template',`
> attribute userdomain;
> type user_devpts_t, user_tty_device_t;
> class context contains;
> - role $1_r;
> ')
>
> attribute $1_file_type;
>
> + role $1_r;
> type $1_t, userdomain;
> domain_type($1_t)
> corecmd_shell_entry_type($1_t)
> --
> 2.3.6
>
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150427/2e02f6a4/attachment.bin
On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
> On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> > Back in the older days, role type statements automatically declared the role. This was later changed.
> >
> > I expect that these macro date from that period and that they should be updated to declare the role.
>
> This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
>
> just want to hear opinions
I think I'm okay with the suggestion. At first I was wondering if it is more of
cosmetic nature than actually necessary, but then I found that kernel.te
is declaring the basic roles already as well, and that I had declared the
role specifically in some other modules that I'm using.
Do you think the default role declarations in kernel.te can be dismissed if
your change is put through, or is the declaration of sysadm_r, staff_r, user_r
and unconfined_r in kernel.te needed due to other dependencies?
I can confirm that a duplicate role declaration does not seem to give any
issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
answered before going forward with the change.
Wkr,
Sven Vermeulen
On Mon, Apr 27, 2015 at 08:55:18PM +0200, Sven Vermeulen wrote:
> On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
> > On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> > > Back in the older days, role type statements automatically declared the role. This was later changed.
> > >
> > > I expect that these macro date from that period and that they should be updated to declare the role.
> >
> > This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
> >
> > just want to hear opinions
>
> I think I'm okay with the suggestion. At first I was wondering if it is more of
> cosmetic nature than actually necessary, but then I found that kernel.te
> is declaring the basic roles already as well, and that I had declared the
> role specifically in some other modules that I'm using.
>
> Do you think the default role declarations in kernel.te can be dismissed if
> your change is put through, or is the declaration of sysadm_r, staff_r, user_r
> and unconfined_r in kernel.te needed due to other dependencies?
>
> I can confirm that a duplicate role declaration does not seem to give any
> issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
> answered before going forward with the change.
I suspect we could then, at least in theory, get rid of (at least some of the) declarations in kernel.te
Only way to really find out if to test it.
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150427/952f06e9/attachment.bin
On 4/27/2015 2:55 PM, Sven Vermeulen wrote:
> On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
>> On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
>>> Back in the older days, role type statements automatically declared the role. This was later changed.
>>>
>>> I expect that these macro date from that period and that they should be updated to declare the role.
>>
>> This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
>>
>> just want to hear opinions
>
> I think I'm okay with the suggestion. At first I was wondering if it is more of
> cosmetic nature than actually necessary, but then I found that kernel.te
> is declaring the basic roles already as well, and that I had declared the
> role specifically in some other modules that I'm using.
>
> Do you think the default role declarations in kernel.te can be dismissed if
> your change is put through, or is the declaration of sysadm_r, staff_r, user_r
> and unconfined_r in kernel.te needed due to other dependencies?
>
> I can confirm that a duplicate role declaration does not seem to give any
> issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
> answered before going forward with the change.
The reason the role declarations are in kernel.te is because of the user
declarations in policy/users. If you turn off unconfined, then base
fails to compile.
One option may be to eliminate all user declarations except system_u,
and then it would be up to the distros/users to create their own users
(even if it is just to restore what we currently have). That being
said, I don't like that option much, as refpolicy can't work out of the box.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com